Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for October 12, 2025.
Date & Time: 2025-10-11T20:25:16
An unpatched zero-day Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-11371, is being actively exploited in Gladinet CentreStack and Triofox products. This flaw allows a local user to access sensitive system files, potentially leading to further system compromise.
Business impact: Exploitation can lead to unauthorized access to confidential data, credential theft, and a foothold for lateral movement within the network. This poses a direct risk to data integrity and can trigger regulatory penalties under SOX for failing to protect financial data systems.
Recommended action: Immediately review systems running Gladinet CentreStack and Triofox. Apply vendor patches as soon as they become available. In the interim, restrict access to affected systems and monitor for any signs of anomalous file access or system activity.
CVE Details: CVE-2025-11371
Compliance Realm: SOX
Source: securityaffairs.com β
Date & Time: 2025-10-10T16:12:15
A critical authentication bypass vulnerability (CVE-2025-5947) in the Service Finder Bookings WordPress plugin is being actively exploited. The flaw allows any unauthenticated attacker to gain administrator-level access to the affected website. Over 13,800 exploit attempts have already been detected in the wild.
Business impact: Successful exploitation grants attackers full control over the website, enabling them to deface the site, steal user data, inject malware, or use the site to launch further attacks. This poses a significant risk to brand reputation and data security.
Recommended action: All users of the Service Finder Bookings WordPress plugin must update to version 6.1 or later immediately. Review administrator accounts for any unauthorized additions and scan the website for signs of compromise.
CVE Details: CVE-2025-5947
Compliance Realm: FISMA
Source: hackread.com β
Date & Time: 2025-10-11T13:04:00
The threat actor Storm-2603 (aka Gold Salem) is abusing the legitimate open-source digital forensics and incident response (DFIR) tool, Velociraptor. The group is using the tool's capabilities for reconnaissance and lateral movement in attacks that deploy Warlock and LockBit ransomware variants.
Business impact: The abuse of a trusted DFIR tool makes detection challenging, as its activity can be mistaken for legitimate administrative or incident response actions. This 'living off the land' technique can lead to widespread ransomware deployment before the intrusion is detected.
Recommended action: Security teams should monitor for anomalous use of Velociraptor or other DFIR tools. Establish strict baselines for legitimate administrative tool usage and investigate any executions that deviate from expected patterns, especially those originating from unusual user accounts or systems.
CVE Details: n/a
Compliance Realm: SOX
Source: thehackernews.com β
Date & Time: 2025-10-10T21:06:47
Security research from SquareX reveals that emerging AI Browsers are vulnerable to attacks that can lead to sensitive data exfiltration and malware distribution. Attackers can exploit these vulnerabilities to hijack OAuth tokens and compromise enterprise accounts integrated with these browsers.
Business impact: As enterprises adopt AI Browsers, these vulnerabilities create a new attack surface. Compromised AI browsers could lead to the loss of corporate data, unauthorized access to cloud services, and the introduction of malware into the corporate environment.
Recommended action: Evaluate the security posture of any AI Browser before enterprise-wide deployment. Implement strict permission controls for applications connecting via OAuth and educate users on the risks of granting excessive permissions to browser extensions and integrations.
CVE Details: n/a
Compliance Realm: SOX
Source: www.lastwatchdog.com β
Date & Time: 2025-10-11T18:21:51
Spainβs Guardia Civil has successfully dismantled the 'GXC Team' cybercrime group, arresting its 25-year-old Brazilian leader. The group was a significant supplier in the cybercrime ecosystem, selling AI-powered phishing kits and Android malware.
Business impact: The takedown of a key supplier of malicious tools may temporarily disrupt the operations of other cybercriminal groups that relied on their offerings. However, the techniques and tools they developed will likely be replicated by others.
Recommended action: This is an intelligence and awareness item. Security teams should remain vigilant for AI-powered phishing attacks and ensure mobile device management (MDM) solutions are in place to detect and block Android malware.
CVE Details: n/a
Compliance Realm: HIPAA, PCI DSS
Source: securityaffairs.com β
Date & Time: 2025-10-10T23:38:15
Apple has doubled its maximum bug bounty payout to $2 million for the discovery of zero-click remote code execution vulnerabilities in its platforms. This move is intended to incentivize security researchers to disclose critical flaws directly to Apple rather than selling them on the gray market.
Business impact: This is a positive security development. A stronger bug bounty program increases the likelihood that critical vulnerabilities will be discovered and patched before they can be widely exploited by threat actors, enhancing the security of Apple devices used in corporate environments.
Recommended action: This is an intelligence and awareness item. No direct action is required.
CVE Details: n/a
Compliance Realm: SOX, HIPAA
Source: securityaffairs.com β
Date & Time: 2025-10-10T13:00:00
A new report indicates that expertise in AI security is becoming a major factor in driving higher cybersecurity salaries. Concurrently, security teams are increasingly adopting AI and agentic AI tools to augment their defensive capabilities.
Business impact: Organizations will face increased competition and salary demands for talent with AI security skills. Investing in training for existing staff and adopting AI-powered security tools will be crucial for maintaining a competitive security posture.
Recommended action: Leadership should review talent acquisition and retention strategies to attract and keep professionals with AI security skills. Evaluate and pilot AI-based security tools to improve efficiency and detection capabilities.
CVE Details: n/a
Compliance Realm: SOX, GDPR
Source: www.tenable.com β
Date & Time: 2025-10-10T17:49:42
This analysis highlights the emerging legal risks associated with autonomous AI agents. These agents can make commitments or take actions on behalf of a company that may not be authorized or anticipated, creating significant legal and financial liabilities.
Business impact: Unmonitored AI agents can create binding agreements, violate compliance regulations, or misrepresent the company, leading to lawsuits and financial losses. This is a critical governance and risk management issue for organizations deploying autonomous AI.
Recommended action: Implement a strong governance framework for all AI agents. Ensure a 'human-in-the-loop' for critical decisions and maintain comprehensive audit logs of all agent actions to mitigate legal and operational risks.
CVE Details: n/a
Compliance Realm: SOX
Source: www.strata.io β
Date & Time: 2025-10-11T13:30:00
Security firm Huntress is warning of a widespread campaign targeting SonicWall SSL VPN devices. Threat actors are reportedly compromising these devices and using them to authenticate to numerous customer environments, with the speed of the attacks suggesting an automated or large-scale operation.
Business impact: Compromised VPNs provide a direct entry point into corporate networks, bypassing perimeter defenses. This can lead to data breaches, ransomware attacks, and significant business disruption.
Recommended action: Organizations using SonicWall SSL VPNs should immediately investigate for signs of compromise. Monitor for unusual login patterns, enforce multi-factor authentication (MFA) on all VPN accounts, and ensure devices are running the latest patched firmware.
CVE Details: n/a
Compliance Realm: SOX
Source: thehackernews.com β
Date & Time: 2025-10-12T07:29:44
Reports indicate that the Department of Homeland Security is reassigning hundreds of CISA (Cybersecurity and Infrastructure Security Agency) employees to support other non-cybersecurity related government initiatives. This move is raising concerns about its potential impact on the nation's cybersecurity readiness.
Business impact: A reduction in CISA's operational capacity could slow down the dissemination of threat intelligence, vulnerability warnings, and incident response support for both public and private sector organizations. This could leave U.S. businesses more vulnerable to cyberattacks.
Recommended action: This is a strategic intelligence item. Organizations should consider diversifying their threat intelligence sources and strengthening public-private information sharing partnerships to compensate for any potential reduction in CISA's output.
CVE Details: n/a
Compliance Realm: SOX
Source: techcrunch.com β
Date & Time: 2025-10-12T09:31:00
With new leadership and a shifting geopolitical landscape, CISA's priorities for the upcoming fiscal year are being re-evaluated. This analysis explores the potential changes in focus for the agency, which, combined with recent reports of staff reassignments, signals a period of significant transition. For business leaders, understanding these shifts is crucial for aligning public-private partnership efforts and anticipating changes in federal cybersecurity guidance and support.
Source: securityboulevard.com β
Spotlight Rationale: Today's critical threats include two actively exploited vulnerabilities: a zero-day LFI CVE-2025-11371 in Gladinet/Triofox and an authentication bypass CVE-2025-5947 in a WordPress plugin. This highlights the urgent need for comprehensive vulnerability and exposure management to identify and prioritize these risks across the enterprise attack surface. Tenable is selected for its leadership in this domain.
Threat Context: CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack
Platform Focus: Tenable One Exposure Management Platform
The Tenable One platform provides a unified view of all assets and their associated vulnerabilities, whether on-premises, in the cloud, or in web applications. It can help organizations quickly identify instances of vulnerable software like Gladinet CentreStack or the Service Finder WordPress plugin. By correlating vulnerability data with threat intelligence and asset criticality, Tenable helps security teams prioritize the most significant risks, such as actively exploited zero-days, and provides guidance for remediation.
Actionable Platform Guidance: Use Tenable Vulnerability Management to immediately launch targeted scans against your infrastructure. Focus scans on web servers to identify WordPress installations and the Service Finder plugin. Create a dynamic asset tag for all systems running Gladinet CentreStack or Triofox to enable continuous monitoring. Configure dashboards and alerts to immediately flag any new detections of CVE-2025-11371 or CVE-2025-5947.
Source: www.tenable.com β
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Tenable One
# Action: Create a targeted scan for today's critical vulnerabilities.
1. **Navigate to Scans > New Scan**.
2. Select the **Advanced Network Scan** template.
3. In the **Settings** tab, name the scan "CRITICAL - CVE-2025-11371 & CVE-2025-5947 Detection".
4. In the **Targets** field, enter the IP ranges for your web servers and application servers.
5. Go to the **Plugins** tab and select "Disable All".
6. Search for and enable plugins related to:
- "Gladinet CentreStack"
- "Triofox"
- "WordPress Service Finder Bookings Plugin"
- Specific CVE IDs: "CVE-2025-11371", "CVE-2025-5947"
7. Save and launch the scan.
8. **Verification**: Review scan results for any hosts flagged with these vulnerabilities and escalate to the incident response team.2. YARA Rule for Storm-2603 Velociraptor Abuse
rule Storm2603_Velociraptor_Abuse_Oct25 {
meta:
description = "Detects potential abuse of the Velociraptor DFIR tool by Storm-2603, associated with LockBit ransomware."
author = "Threat Rundown"
date = "2025-10-12"
reference = "https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html"
severity = "high"
tlp = "white"
strings:
// Velociraptor client artifacts often used in standalone deployments
$s1 = "velociraptor.config.yaml" ascii wide
$s2 = "velociraptor --config" ascii wide
$s3 = "VQL_CLIENT_QUERY" ascii wide // Environment variable for queries
// Strings associated with LockBit, often deployed by Storm-2603
$lb1 = "Restore-My-Files.txt" ascii wide
$lb2 = ".lockbit" ascii wide
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($lb*))
}3. SIEM Query β WordPress Auth Bypass Exploit Attempts (CVE-2025-5947)
index=web sourcetype=web_access
(uri_path="/wp-admin/*" OR uri_path="/wp-login.php") status=200 http_method=POST
// Look for successful admin access from IPs with no prior successful login activity
| stats count as event_count, earliest(_time) as first_seen, latest(_time) as last_seen by src_ip, user_agent, uri_path
| where event_count < 5 // Filter for initial access attempts, not established sessions
| `get_geoip_location(src_ip)`
| join type=left src_ip [
search index=auth sourcetype=wordpress earliest=-30d "logged in successfully"
| dedup user_ip | table user_ip
| rename user_ip as src_ip
| eval known_ip=true
]
| where isnull(known_ip)
| table first_seen, src_ip, user_agent, uri_path, country
| sort -first_seenThis rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!