Playbook for the Secure Enterprise
Compliance Impact Scoreboard
CyberSecurity Latest Rundown
Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for October 12, 2025.
CRITICAL ITEMS
-
CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack
Date & Time: 2025-10-11T20:25:16
An unpatched zero-day Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-11371, is being actively exploited in Gladinet CentreStack and Triofox products. This flaw allows a local user to access sensitive system files, potentially leading to further system compromise.
Business impactExploitation can lead to unauthorized access to confidential data, credential theft, and a foothold for lateral movement within the network. This poses a direct risk to data integrity and can trigger regulatory penalties under SOX for failing to protect financial data systems.Recommended actionImmediately review systems running Gladinet CentreStack and Triofox. Apply vendor patches as soon as they become available. In the interim, restrict access to affected systems and monitor for any signs of anomalous file access or system activity.CVE: CVE-2025-11371 | Compliance: SOX | Source: securityaffairs.com β
-
Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit
Date & Time: 2025-10-10T16:12:15
A critical authentication bypass vulnerability (CVE-2025-5947) in the Service Finder Bookings WordPress plugin is being actively exploited. The flaw allows any unauthenticated attacker to gain administrator-level access to the affected website. Over 13,800 exploit attempts have already been detected in the wild.
Business impactSuccessful exploitation grants attackers full control over the website, enabling them to deface the site, steal user data, inject malware, or use the site to launch further attacks. This poses a significant risk to brand reputation and data security.Recommended actionAll users of the Service Finder Bookings WordPress plugin must update to version 6.1 or later immediately. Review administrator accounts for any unauthorized additions and scan the website for signs of compromise.CVE: CVE-2025-5947 | Compliance: FISMA | Source: hackread.com β
-
Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks
Date & Time: 2025-10-11T13:04:00
The threat actor Storm-2603 (aka Gold Salem) is abusing the legitimate open-source digital forensics and incident response (DFIR) tool, Velociraptor. The group is using the tool's capabilities for reconnaissance and lateral movement in attacks that deploy Warlock and LockBit ransomware variants.
Business impactThe abuse of a trusted DFIR tool makes detection challenging, as its activity can be mistaken for legitimate administrative or incident response actions. This 'living off the land' technique can lead to widespread ransomware deployment before the intrusion is detected.Recommended actionSecurity teams should monitor for anomalous use of Velociraptor or other DFIR tools. Establish strict baselines for legitimate administrative tool usage and investigate any executions that deviate from expected patterns, especially those originating from unusual user accounts or systems.CVE: n/a | Compliance: SOX | Source: thehackernews.com β
-
SquareX exposes how AI browsers fall prey to OAuth hijacks and malware traps
Date & Time: 2025-10-10T21:06:47
Security research from SquareX reveals that emerging AI Browsers are vulnerable to attacks that can lead to sensitive data exfiltration and malware distribution. Attackers can exploit these vulnerabilities to hijack OAuth tokens and compromise enterprise accounts integrated with these browsers.
Business impactAs enterprises adopt AI Browsers, these vulnerabilities create a new attack surface. Compromised AI browsers could lead to the loss of corporate data, unauthorized access to cloud services, and the introduction of malware into the corporate environment.Recommended actionEvaluate the security posture of any AI Browser before enterprise-wide deployment. Implement strict permission controls for applications connecting via OAuth and educate users on the risks of granting excessive permissions to browser extensions and integrations.CVE: n/a | Compliance: SOX | Source: www.lastwatchdog.com β
-
Cybercrime ring GXC Team dismantled in Spain, 25-year-old leader detained
Date & Time: 2025-10-11T18:21:51
Spainβs Guardia Civil has successfully dismantled the 'GXC Team' cybercrime group, arresting its 25-year-old Brazilian leader. The group was a significant supplier in the cybercrime ecosystem, selling AI-powered phishing kits and Android malware.
Business impactThe takedown of a key supplier of malicious tools may temporarily disrupt the operations of other cybercriminal groups that relied on their offerings. However, the techniques and tools they developed will likely be replicated by others.Recommended actionThis is an intelligence and awareness item. Security teams should remain vigilant for AI-powered phishing attacks and ensure mobile device management (MDM) solutions are in place to detect and block Android malware.CVE: n/a | Compliance: HIPAA, PCI DSS | Source: securityaffairs.com β
-
Apple doubles maximum bug bounty to $2M for zero-click RCEs
Date & Time: 2025-10-10T23:38:15
Apple has doubled its maximum bug bounty payout to $2 million for the discovery of zero-click remote code execution vulnerabilities in its platforms. This move is intended to incentivize security researchers to disclose critical flaws directly to Apple rather than selling them on the gray market.
Business impactThis is a positive security development. A stronger bug bounty program increases the likelihood that critical vulnerabilities will be discovered and patched before they can be widely exploited by threat actors, enhancing the security of Apple devices used in corporate environments.Recommended actionThis is an intelligence and awareness item. No direct action is required.CVE: n/a | Compliance: SOX, HIPAA | Source: securityaffairs.com β
-
AI Security Skills Drive Up Cyber Salaries, as Cyber Teams Grow Arsenal of AI Tools
Date & Time: 2025-10-10T13:00:00
A new report indicates that expertise in AI security is becoming a major factor in driving higher cybersecurity salaries. Concurrently, security teams are increasingly adopting AI and agentic AI tools to augment their defensive capabilities.
Business impactOrganizations will face increased competition and salary demands for talent with AI security skills. Investing in training for existing staff and adopting AI-powered security tools will be crucial for maintaining a competitive security posture.Recommended actionLeadership should review talent acquisition and retention strategies to attract and keep professionals with AI security skills. Evaluate and pilot AI-based security tools to improve efficiency and detection capabilities.CVE: n/a | Compliance: SOX, GDPR | Source: www.tenable.com β
-
Human-in-the-loop: When your AIβs creativity becomes your legal liability
Date & Time: 2025-10-10T17:49:42
This analysis highlights the emerging legal risks associated with autonomous AI agents. These agents can make commitments or take actions on behalf of a company that may not be authorized or anticipated, creating significant legal and financial liabilities.
Business impactUnmonitored AI agents can create binding agreements, violate compliance regulations, or misrepresent the company, leading to lawsuits and financial losses. This is a critical governance and risk management issue for organizations deploying autonomous AI.Recommended actionImplement a strong governance framework for all AI agents. Ensure a 'human-in-the-loop' for critical decisions and maintain comprehensive audit logs of all agent actions to mitigate legal and operational risks.CVE: n/a | Compliance: SOX | Source: www.strata.io β
HIGH SEVERITY ITEMS
-
Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts
Date & Time: 2025-10-11T13:30:00
Security firm Huntress is warning of a widespread campaign targeting SonicWall SSL VPN devices. Threat actors are reportedly compromising these devices and using them to authenticate to numerous customer environments, with the speed of the attacks suggesting an automated or large-scale operation.
Business impactCompromised VPNs provide a direct entry point into corporate networks, bypassing perimeter defenses. This can lead to data breaches, ransomware attacks, and significant business disruption.Recommended actionOrganizations using SonicWall SSL VPNs should immediately investigate for signs of compromise. Monitor for unusual login patterns, enforce multi-factor authentication (MFA) on all VPN accounts, and ensure devices are running the latest patched firmware.CVE: n/a | Compliance: SOX | Source: thehackernews.com β
-
Homeland Security reassigns hundreds of CISA cyber staffers
Date & Time: 2025-10-12T07:29:44
Reports indicate that the Department of Homeland Security is reassigning hundreds of CISA (Cybersecurity and Infrastructure Security Agency) employees to support other non-cybersecurity related government initiatives. This move is raising concerns about its potential impact on the nation's cybersecurity readiness.
Business impactA reduction in CISA's operational capacity could slow down the dissemination of threat intelligence, vulnerability warnings, and incident response support for both public and private sector organizations. This could leave U.S. businesses more vulnerable to cyberattacks.Recommended actionThis is a strategic intelligence item. Organizations should consider diversifying their threat intelligence sources and strengthening public-private information sharing partnerships to compensate for any potential reduction in CISA's output.CVE: n/a | Compliance: SOX | Source: techcrunch.com β
EXECUTIVE INSIGHTS
-
Revisiting CISA Priorities for FY2026 and Beyond
Date & Time: 2025-10-12T09:31:00
With new leadership and a shifting geopolitical landscape, CISA's priorities for the upcoming fiscal year are being re-evaluated. This analysis explores the potential changes in focus for the agency, which, combined with recent reports of staff reassignments, signals a period of significant transition. For business leaders, understanding these shifts is crucial for aligning public-private partnership efforts and anticipating changes in federal cybersecurity guidance and support.
Source: securityboulevard.com β
VENDOR SPOTLIGHT
-
Spotlight Rationale: Today's critical threats include two actively exploited vulnerabilities: a zero-day LFI CVE-2025-11371 in Gladinet/Triofox and an authentication bypass CVE-2025-5947 in a WordPress plugin. This highlights the urgent need for comprehensive vulnerability and exposure management to identify and prioritize these risks across the enterprise attack surface. Tenable is selected for its leadership in this domain.
Threat Context: CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack
Platform Focus: Tenable One Exposure Management Platform
The Tenable One platform provides a unified view of all assets and their associated vulnerabilities, whether on-premises, in the cloud, or in web applications. It can help organizations quickly identify instances of vulnerable software like Gladinet CentreStack or the Service Finder WordPress plugin. By correlating vulnerability data with threat intelligence and asset criticality, Tenable helps security teams prioritize the most significant risks, such as actively exploited zero-days, and provides guidance for remediation.
Actionable Platform Guidance: Use Tenable Vulnerability Management to immediately launch targeted scans against your infrastructure. Focus scans on web servers to identify WordPress installations and the Service Finder plugin. Create a dynamic asset tag for all systems running Gladinet CentreStack or Triofox to enable continuous monitoring. Configure dashboards and alerts to immediately flag any new detections of CVE-2025-11371 or CVE-2025-5947.
Source: www.tenable.com β
DETECTION & RESPONSE KIT
-
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Tenable One
# Action: Create a targeted scan for today's critical vulnerabilities. 1. **Navigate to Scans > New Scan**. 2. Select the **Advanced Network Scan** template. 3. In the **Settings** tab, name the scan "CRITICAL - CVE-2025-11371 & CVE-2025-5947 Detection". 4. In the **Targets** field, enter the IP ranges for your web servers and application servers. 5. Go to the **Plugins** tab and select "Disable All". 6. Search for and enable plugins related to: - "Gladinet CentreStack" - "Triofox" - "WordPress Service Finder Bookings Plugin" - Specific CVE IDs: "CVE-2025-11371", "CVE-2025-5947" 7. Save and launch the scan. 8. **Verification**: Review scan results for any hosts flagged with these vulnerabilities and escalate to the incident response team.2. YARA Rule for Storm-2603 Velociraptor Abuse
rule Storm2603_Velociraptor_Abuse_Oct25 { meta: description = "Detects potential abuse of the Velociraptor DFIR tool by Storm-2603, associated with LockBit ransomware." author = "Threat Rundown" date = "2025-10-12" reference = "https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html" severity = "high" tlp = "white" strings: // Velociraptor client artifacts often used in standalone deployments $s1 = "velociraptor.config.yaml" ascii wide $s2 = "velociraptor --config" ascii wide $s3 = "VQL_CLIENT_QUERY" ascii wide // Environment variable for queries // Strings associated with LockBit, often deployed by Storm-2603 $lb1 = "Restore-My-Files.txt" ascii wide $lb2 = ".lockbit" ascii wide condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($lb*)) }3. SIEM Query β WordPress Auth Bypass Exploit Attempts (CVE-2025-5947)
index=web sourcetype=web_access (uri_path="/wp-admin/*" OR uri_path="/wp-login.php") status=200 http_method=POST // Look for successful admin access from IPs with no prior successful login activity | stats count as event_count, earliest(_time) as first_seen, latest(_time) as last_seen by src_ip, user_agent, uri_path | where event_count < 5 // Filter for initial access attempts, not established sessions | `get_geoip_location(src_ip)` | join type=left src_ip [ search index=auth sourcetype=wordpress earliest=-30d "logged in successfully" | dedup user_ip | table user_ip | rename user_ip as src_ip | eval known_ip=true ] | where isnull(known_ip) | table first_seen, src_ip, user_agent, uri_path, country | sort -first_seenThis rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!