Microsoft has disclosed and patched two zero-day vulnerabilities that are under active exploitation. These flaws are part of a massive Patch Tuesday release that addresses 183 vulnerabilities in total. The active exploitation of these zero-days presents an immediate and significant risk to all organizations using Microsoft products.
Business impact
Active exploitation can lead to unauthorized system access, data breaches, ransomware deployment, and complete compromise of affected systems. The end-of-support for Windows 10 for non-enrolled PCs exacerbates the risk for organizations with legacy systems.
Recommended action
Prioritize the immediate deployment of Microsoft's October 2025 security updates, especially on internet-facing systems. Activate incident response procedures and hunt for indicators of compromise related to these zero-days.
Microsoft has released its largest Patch Tuesday to date, fixing 167 CVEs, including seven rated as Critical. The update addresses three zero-day vulnerabilities, two of which are confirmed to be exploited in the wild. The sheer volume of vulnerabilities requires a strategic and risk-based approach to patching.
Business impact
Failure to patch these vulnerabilities exposes the organization to a wide range of attacks, from remote code execution to privilege escalation. The high number of flaws can overwhelm IT teams, leading to patching gaps and increased risk exposure.
Recommended action
Use a risk-based vulnerability management platform to prioritize patches. Focus first on the exploited zero-days and critical vulnerabilities on internet-exposed assets. Monitor for any signs of exploitation attempts.
A critical vulnerability in ICTBroadcast autodialer software is being actively exploited in the wild. The flaw, an improper input validation issue, allows attackers to gain remote shell access. The active exploitation indicates that attackers are actively scanning for and compromising vulnerable servers.
Business impact
Successful exploitation could lead to a full compromise of the ICTBroadcast server, potential data theft of call records and customer information, and use of the server as a pivot point for further attacks into the network.
Recommended action
Immediately apply the patches provided by ICT Innovations. If patching is not possible, restrict access to the server's management interface and monitor for any signs of unauthorized access or suspicious activity.
Two critical vulnerabilities with a CVSS score of 10.0 have been disclosed in Red Lion Sixnet remote terminal units (RTUs). These flaws could allow an attacker to achieve remote code execution with the highest privileges, granting them full control over industrial processes.
Business impact
Exploitation of these vulnerabilities in an operational technology (OT) environment could result in physical disruption, sabotage of industrial processes, equipment damage, and potential safety incidents. This poses a severe risk to critical infrastructure sectors.
Recommended action
Isolate affected RTUs from the internet immediately. Apply patches from Red Lion as soon as possible. Implement network segmentation to prevent direct access to these devices from corporate IT networks.
The Advanced Persistent Threat (APT) group known as Mysterious Elephant is reportedly highly active and continuously evolving its tactics, techniques, and procedures (TTPs). The group, discovered in 2023, primarily targets government entities, indicating a focus on espionage and intelligence gathering.
Business impact
Organizations in the government sector or those that are contractors to government entities are at high risk of targeted attacks. A successful breach by this group could lead to the theft of sensitive state secrets, intellectual property, and strategic plans.
Recommended action
Government-focused organizations should review threat intelligence on Mysterious Elephant's TTPs and update their detection and response capabilities accordingly. Enhance monitoring of network traffic and endpoint activity for signs of sophisticated intrusion.
Ransomware attacks have continued at a high pace across Europe and the UK in the third quarter of 2025. The Qilin ransomware group has been identified as a leading threat actor in this campaign, suggesting a coordinated and aggressive effort to extort organizations in the region.
Business impact
Increased ransomware activity heightens the risk of operational downtime, significant financial loss from ransom payments and recovery costs, data exfiltration, and reputational damage. This poses a direct threat to business continuity.
Recommended action
Ensure robust, offline backup and recovery procedures are in place and tested. Implement multi-factor authentication across all services, particularly for remote access. Deploy advanced endpoint detection and response (EDR) solutions to detect ransomware behaviors.
Adobe has released security updates for over 35 vulnerabilities across its product line, including a critical flaw in its Connect collaboration suite. Such vulnerabilities in widely used enterprise software can provide attackers with an initial access vector into corporate networks.
Business impact
A critical vulnerability in a collaboration tool like Adobe Connect could be exploited to compromise user sessions, steal sensitive data shared during meetings, or gain a foothold within the network for lateral movement.
Recommended action
Administrators of Adobe products, particularly Adobe Connect, should review the latest security advisories and apply all relevant patches immediately to mitigate the risk of exploitation.
Apple has significantly increased its bug bounty rewards, now offering up to $2 million for a zero-click exploit. This move highlights the high value and threat level of sophisticated exploits targeting mobile devices and is intended to incentivize researchers to disclose vulnerabilities to Apple rather than selling them on the black market.
Business impact
While a positive development for security, the high payout underscores the severe risk posed by zero-click exploits, which can compromise devices without any user interaction. This reinforces the need for a defense-in-depth security posture for mobile device fleets.
Recommended action
This is a strategic intelligence item. No immediate action is required, but security leaders should recognize the increasing sophistication of mobile threats and ensure mobile device management (MDM) and mobile threat defense (MTD) solutions are in place.
SAP has patched a maximum-severity (CVSS 10.0) vulnerability in SAP NetWeaver AS Java. The flaw could allow an unauthenticated attacker to execute arbitrary commands, effectively taking complete control of the server. SAP systems often house the most critical business data, making this a high-priority threat.
Business impact
Compromise of an SAP NetWeaver server can lead to theft or manipulation of critical financial, HR, and supply chain data. It could also cause major disruption to core business operations that rely on the SAP environment.
Recommended action
SAP administrators must apply the security fixes released by SAP immediately. Review server logs for any signs of compromise or unusual activity, particularly related to the affected components.
Fortinet and Ivanti have released their October 2025 security updates, addressing multiple high-severity vulnerabilities across their product portfolios. These vendors provide critical network security and management functions, and flaws in their products are often targeted by threat actors for initial access.
Business impact
Unpatched vulnerabilities in security appliances like firewalls or remote access solutions can undermine an organization's entire security posture, allowing attackers to bypass defenses and gain privileged network access.
Recommended action
Review the security advisories from Fortinet and Ivanti and apply the necessary patches to all affected appliances and software. Prioritize patching for internet-facing systems.
This analysis posits that as work moves to browser-based platforms like Google Docs, Salesforce, and Slack, the traditional endpoint (the desktop) is becoming less relevant. The browser is now the primary workspace where data is handled and business is conducted. This paradigm shift requires a re-evaluation of security strategies, as traditional endpoint security tools may lack visibility and control over browser-based activities, creating significant security gaps.
Spotlight Rationale: With Microsoft releasing its largest-ever Patch Tuesday, including actively exploited zero-days ([Two New Windows Zero-Days](https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html)) and 167 total CVEs ([Microsoft’s October 2025 Patch Tuesday](https://www.tenable.com/210454)), organizations face a monumental task of prioritization and validation. A platform that can provide risk-based prioritization and exploitability context is essential.
Qualys ETM addresses the challenge of overwhelming vulnerability data by using AI to provide adaptive threat prioritization. Its new 'TruConfirm' feature for exposure exploitability validation is directly relevant to today's threats, allowing security teams to move beyond CVSS scores and confirm if a vulnerability like those in the Microsoft patch batch is actually exploitable in their specific environment. This helps focus limited remediation resources on the highest-risk issues first, such as the actively exploited Windows zero-days.
Actionable Platform Guidance: Use Qualys ETM to immediately identify all assets vulnerable to the CVEs mentioned in Microsoft's October release, specifically CVE-2025-24990 and CVE-2025-59230. Leverage TruRisk scoring to prioritize assets where these vulnerabilities are present alongside public exploits or active attacks. Use TruConfirm to validate exploitability and escalate patching for those confirmed exposures.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Qualys ETM
# Qualys Vulnerability Management, Detection and Response (VMDR) Configuration
# Step 1: Create a Dynamic Search List for October 2025 Microsoft Threats
# Navigate to Detections > Search Lists > New
# Title: "MS-OCT25 Critical Zero-Days"
# Criteria:
# vulnerabilities.vulnerability.cveIds: `CVE-2025-24990`, `CVE-2025-59230`
# (Add other critical CVEs from the Microsoft release as needed)
# Step 2: Create a Dashboard Widget for High-Risk Assets
# Navigate to Dashboards, select or create a dashboard
# Add a new widget (e.g., Table)
# Query for widget:
# vulnerabilities.vulnerability.qualysId:[QID for MS-OCT25 vulns] and risk.factors.isExploitable:true
# Step 3: Prioritize with TruRisk Score
# In the VMDR Prioritization tab, create a new Prioritization Report.
# Filter by assets with the "MS-OCT25 Critical Zero-Days" Search List.
# Sort by "TruRisk Score" descending.
# This will surface assets where the vulnerabilities pose the greatest actual risk.
# Step 4: Use TruConfirm for Validation (if available)
# For top priority assets, initiate TruConfirm scans to validate if the vulnerabilities are practically exploitable in your environment.
2. YARA Rule for ICTBroadcast Exploit (CVE-2025-2611)
rule Detect_ICTBroadcast_Exploit_CVE_2025_2611 {
meta:
description = "Detects potential web shell artifacts related to the exploitation of CVE-2025-2611 in ICTBroadcast."
author = "Threat Rundown"
date = "2025-10-15"
reference = "https://thehackernews.com/2025/10/hackers-target-ictbroadcast-servers-via.html"
severity = "high"
tlp = "white"
strings:
/* Look for common web shell functions in PHP files, a likely post-exploitation tool */
$s1 = "passthru($_REQUEST['cmd'])" ascii
$s2 = "shell_exec($_REQUEST['cmd'])" ascii
$s3 = "system($_REQUEST['cmd'])" ascii
$s4 = "eval(base64_decode($_POST['data']))" ascii
condition:
uint32(0) == 0x68703f3c and filesize < 100KB and any of ($s*)
}
3. SIEM Query — Detecting Potential Windows Zero-Day Exploitation
index=endpoint sourcetype="sysmon" EventCode=1
(ParentImage IN ("*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.EXE", "*\\msedge.exe", "*\\chrome.exe"))
(Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\mshta.exe"))
| eval risk_score=case(
match(ParentImage, "WINWORD.EXE") AND match(Image, "powershell.exe"), 90,
match(ParentImage, "msedge.exe") AND match(Image, "cmd.exe"), 75,
1==1, 50)
| where risk_score >= 75
| table _time, host, ParentImage, Image, CommandLine, risk_score
| sort -_time
4. PowerShell Script — Check for Microsoft Patch Installation
# This script checks for the presence of a specific KB article related to a patch.
# Replace 'KB50XXXXX' with the actual KB number for the critical Windows updates.
$targetKB = "KB50XXXXX" # Placeholder: Use actual KB from Microsoft's advisory
$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer for patch $targetKB..." -ForegroundColor Yellow
try {
$session = New-CimSession -ComputerName $computer -ErrorAction Stop
$hotfix = Get-CimInstance -CimSession $session -ClassName Win32_QuickFixEngineering | Where-Object { $_.HotFixID -eq $targetKB }
if ($hotfix) {
Write-Host "[+] Patch $targetKB is INSTALLED on $computer." -ForegroundColor Green
} else {
Write-Host "[-] Patch $targetKB is MISSING on $computer." -ForegroundColor Red
}
Remove-CimSession -CimSession $session
} catch {
Write-Host "[!] Could not connect to $computer: $($_.Exception.Message)" -ForegroundColor Red
}
} else {
Write-Host "[!] $computer is offline." -ForegroundColor Gray
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT