The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an unauthenticated server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite to its Known Exploited Vulnerabilities (KEV) catalog. This confirms the flaw is being actively exploited in the wild, posing a significant risk to organizations using the affected software.
Business impact
Successful exploitation can allow an unauthenticated attacker to interact with internal network services, exfiltrate sensitive data, scan internal networks, and potentially pivot to other systems, leading to a broader compromise.
Recommended action
Federal agencies are mandated to apply Oracle's patches by the CISA-stipulated deadline. All other organizations are strongly advised to prioritize patching immediately and hunt for indicators of compromise in network and application logs.
A high-severity vulnerability, dubbed 'TARmageddon', has been discovered in the popular async-tar Rust library and its derivatives. The flaw allows for path traversal when extracting tar archives, which could lead to arbitrary file writes and subsequent remote code execution if a malicious archive is processed by an application.
Business impact
Applications that use this library to handle untrusted tar archives are at risk of server compromise. This could lead to data breaches, service disruption, and the deployment of malware or ransomware on affected systems.
Recommended action
Developers must immediately update their projects to a patched version of the async-tar library (or its forks like tokio-tar). Conduct a thorough review of applications to identify any usage of the vulnerable component.
TP-Link has addressed four vulnerabilities in its Omada gateway devices, two of which are critical and permit remote code execution (RCE). The most severe flaw is an operating system command injection vulnerability that can be exploited by an unauthenticated attacker.
Business impact
A successful attack could result in a complete takeover of the network gateway, allowing an adversary to intercept traffic, pivot into the internal network, and disrupt network operations. This poses a severe risk to network integrity and data confidentiality.
Recommended action
Administrators of TP-Link Omada gateways must apply the latest firmware updates immediately to mitigate the risk of exploitation. It is also recommended to restrict management interface access from untrusted networks.
The decentralized finance (DeFi) protocol BetterBank suffered a $5 million loss due to a sophisticated exploit targeting its reward minting logic. Attackers manipulated liquidity pools to illegitimately mint and claim a massive amount of reward tokens, which were then sold off.
Business impact
This incident resulted in direct and significant financial losses for the protocol and its users. It also causes severe reputational damage and erodes trust in the platform's security, potentially leading to a mass exodus of users and liquidity.
Recommended action
DeFi platforms must implement rigorous and continuous smart contract auditing, employ real-time threat monitoring for economic exploits, and establish incident response plans. Investors should diversify assets and carefully vet the security posture of protocols before investing.
The Russian-state-affiliated threat actor COLDRIVER (also known as Star Blizzard/Callisto Group) is rapidly evolving its malware toolkit. Following the public exposure of its 'LOSTKEYS' variant in May 2025, the group has been observed refining its tools with new capabilities, demonstrating high operational tempo and resilience.
Business impact
Organizations in sectors targeted by Russian intelligence (government, academia, defense) face an elevated risk of espionage campaigns. The actor's agility means that existing defenses may be quickly bypassed, increasing the likelihood of successful credential harvesting and data theft.
Recommended action
Security teams should update their threat intelligence platforms with the latest indicators of compromise (IOCs) for COLDRIVER. Enhance monitoring for phishing attempts and ensure multi-factor authentication is enforced on all external-facing services.
This analysis highlights the strategic shift from traditional perimeter-based security to a Zero Trust architecture. As threats like ransomware and data breaches escalate, businesses must adopt a layered, identity-centric approach that assumes no implicit trust, regardless of user location or network. This is a foundational change in security strategy, moving from protecting the network to protecting data and resources directly.
The compliance landscape is rapidly evolving, with new regulations like DORA (Digital Operational Resilience Act) and updates to standards like PCI-DSS demanding a continuous approach to compliance. The traditional model of annual audits is no longer sufficient; organizations must integrate compliance and security into their daily operations and development lifecycles (DevSecOps) to keep pace with regulatory demands and mitigate risk effectively.
Spotlight Rationale: Today's intelligence highlights critical vulnerabilities in network gateways ([CVE-2025-6541](https://nvd.nist.gov/vuln/detail/CVE-2025-6541) in TP-Link Omada) and the rapid evolution of malware from sophisticated threat actors like COLDRIVER. Fortinet's integrated security platform is directly relevant for mitigating these network-level threats through advanced intrusion prevention and up-to-date threat intelligence.
Platform Focus: Fortinet Security Fabric with FortiGate NGFWs and FortiGuard Labs Threat Intelligence
The Fortinet Security Fabric provides a robust defense against threats like the TP-Link Omada RCE flaw. FortiGate Next-Generation Firewalls (NGFWs), powered by FortiGuard IPS, can deploy virtual patches to block exploitation attempts against vulnerabilities like CVE-2025-6541 before official firmware can be applied. Furthermore, FortiGuard's real-time threat intelligence on actors like COLDRIVER ensures that FortiGate devices can identify and block command-and-control (C2) traffic from new malware variants, disrupting the attack chain.
Actionable Platform Guidance: Based on available intelligence, the following actions can be taken to harden defenses against network-based threats. Verify all steps against current Fortinet documentation.
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Fortinet
# Actionable Guidance for FortiGate NGFW
# Disclaimer: This guidance is based on general platform knowledge.
# Verify against current Fortinet documentation.
# --- Immediate Actions ---
# 1. Enable and Configure Intrusion Prevention System (IPS)
# Ensure an aggressive IPS profile is applied to all relevant firewall policies.
config firewall ips sensor
edit "Aggressive_Protection"
set comment "IPS sensor for critical assets"
config entries
edit 1
set rule 11796, 11798 # Example: Rules for generic command injection
set action block
next
end
next
end
config firewall policy
edit 1
set name "WAN_to_DMZ"
set srcintf "wan1"
set dstintf "dmz"
# ... other policy settings ...
set ips-sensor "Aggressive_Protection"
set logtraffic all
next
end
# 2. Apply Web Filtering to Block Malicious C2 Domains
# Use FortiGuard categories to block known malicious sites used by actors like COLDRIVER.
config firewall webfilter profile
edit "Block_Malicious_Categories"
config ftgd-wf
config filters
edit 1
set category 2 26 # Malicious Websites and Phishing
set action block
next
end
end
next
end
# 3. Enable SSL Inspection
# To detect threats in encrypted traffic, enable deep inspection.
config firewall ssl-ssh-profile
edit "deep-inspection-profile"
set use-ssl-server enable
next
end
config firewall policy
edit 1
# ... existing policy ...
set ssl-ssh-profile "deep-inspection-profile"
next
end
# --- Verification Steps ---
# 1. Verify IPS Logs for Triggered Signatures
# From the FortiGate CLI or GUI, check logs for IPS events.
# diagnose log test
# Go to Log & Report > Intrusion Prevention
# 2. Test Web Filter Policy
# Attempt to access a known malicious test site to confirm it is blocked.
# Example: www.eicar.org
2. YARA Rule for COLDRIVER 'LOSTKEYS' Variant
rule Detect_COLDRIVER_LOSTKEYS_Variant {
meta:
description = "Detects potential artifacts associated with the COLDRIVER LOSTKEYS malware variant."
author = "Threat Rundown"
date = "2025-10-22"
reference = "https://securityaffairs.com/?p=183672"
severity = "high"
tlp = "white"
strings:
$s1 = "SpoolerManager.dll" ascii wide
$s2 = "Microsoft\Credentials\KeysSvc" ascii wide
$s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0/CERT-21"
$s4 = "LOSTKEYS_MUTEX_2025"
condition:
uint16(0) == 0x5a4d and filesize < 500KB and any of them
}
index=oslogs sourcetype IN (linux:audit, Sysmon:1)
(process_name IN ("node", "python*", "ruby", "java") OR parent_process_name IN ("nginx", "apache2", "httpd"))
| search (process_name IN ("sh", "bash", "wget", "curl", "nc"))
| eval risk_score=case(
match(process_command, "/tmp/") OR match(process_command, "/var/tmp/"), 100,
parent_process_name IN ("nginx", "apache2", "httpd"), 80,
1==1, 50)
| where risk_score >= 80
| table _time, host, parent_process_name, process_name, process_command, risk_score
| sort -_time
4. PowerShell Script β Hunt for Oracle E-Business Suite SSRF IoCs
<#
.SYNOPSIS
Scans IIS or Apache logs on a server for patterns indicative of the
Oracle E-Business Suite SSRF vulnerability (Oct 2025).
.DESCRIPTION
This script checks for requests to known vulnerable endpoints that contain
common SSRF payloads targeting internal IP addresses.
.DISCLAIMER
This is a hunting script, not a definitive detection. Review all findings.
#>
$logPaths = @(
"C:\inetpub\logs\LogFiles\W3SVC1\*",
"C:\oracle\EBS\logs\*"
# Add other relevant log paths
)
# Regex to find SSRF patterns targeting internal IPs in request strings
$ssrfPattern = '(?i)(http|https|ftp|file)%3A%2F%2F(127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)'
Write-Host "[*] Starting SSRF pattern scan for Oracle E-Business Suite..." -ForegroundColor Yellow
foreach ($path in $logPaths) {
$files = Get-Item $path -ErrorAction SilentlyContinue
if ($files) {
foreach ($file in $files) {
Write-Host "[+] Checking log file: $($file.FullName)"
$matches = Select-String -Path $file.FullName -Pattern $ssrfPattern -AllMatches
if ($matches) {
Write-Host "[!] POTENTIAL SSRF ACTIVITY DETECTED in $($file.Name)!" -ForegroundColor Red
$matches.Line | Out-String | Write-Warning
}
}
}
}
Write-Host "[*] Scan complete." -ForegroundColor Green
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT