Threat actors are actively exploiting a critical vulnerability, CVE-2025-54236 (CVSS 9.1), in Adobe Commerce and Magento. The flaw, dubbed 'SessionReaper', allows unauthenticated attackers to bypass security features and hijack user accounts via the REST API. Security firm Sansec has observed over 250 attacks in a 24-hour period, indicating widespread and automated exploitation.
Business impact
Compromise of eCommerce platforms can lead to customer account takeover, theft of sensitive financial data, fraudulent transactions, and significant reputational damage. This poses a direct risk to revenue and customer trust, with potential for PCI DSS and GDPR compliance violations.
Recommended action
Immediately apply the patches released by Adobe in September. Audit Adobe Commerce and Magento logs for suspicious REST API activity, particularly unauthorized account modifications or session hijacking attempts. Prioritize patching for all public-facing eCommerce servers.
Multiple Chinese state-sponsored threat groups, including Storm-2603, Linen Typhoon, and Violet Typhoon, are exploiting a SharePoint vulnerability to gain initial access. According to Cisco Talos, exploitation of public-facing applications is the dominant initial access vector this quarter, appearing in over 60% of incident response engagements, largely driven by these 'ToolShell' attacks. This highlights a significant shift in tactics and the failure of organizations to apply patches in a timely manner.
Business impact
Successful exploitation grants attackers a foothold in the network, potentially leading to data exfiltration, deployment of ransomware like Warlock (linked to Storm-2603), and persistent access to sensitive corporate data stored on SharePoint.
Recommended action
Prioritize patching of all public-facing SharePoint servers. Implement network segmentation to limit lateral movement from compromised web servers. Hunt for web shells and anomalous processes on SharePoint servers, and review access logs for unusual activity originating from external IP addresses.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Motex LANSCOPE, tracked as CVE-2025-61932 (CVSS 9.3), to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the vulnerability is being actively exploited in the wild. Federal agencies are now mandated to patch this flaw by a specified deadline.
Business impact
LANSCOPE is an IT asset management tool, and its compromise could provide attackers with extensive visibility and control over an organization's entire network infrastructure. This could facilitate widespread malware deployment, data theft, and complete network compromise.
Recommended action
All organizations using Motex LANSCOPE should immediately apply the relevant security patches. Federal agencies must adhere to the CISA directive. All other organizations are strongly advised to prioritize this patch due to confirmed active exploitation.
A sophisticated spear-phishing campaign named PhantomCaptcha is targeting humanitarian organizations involved in Ukraine war relief, including the Red Cross and UNICEF. The campaign, observed on October 8, 2025, uses advanced social engineering to deliver a Remote Access Trojan (RAT) that communicates over WebSockets, a technique used to evade traditional network security controls.
Business impact
A compromise of these organizations could disrupt critical humanitarian aid operations, expose sensitive data of vulnerable populations and aid workers, and enable financial fraud by diverting funds. The use of a WebSocket RAT indicates a capable adversary focused on stealth and long-term access.
Recommended action
Organizations, especially those in the non-profit and humanitarian sectors, should increase employee awareness of spear-phishing attacks. Security teams should enhance network monitoring to detect anomalous WebSocket traffic and ensure endpoint detection and response (EDR) tools are configured to identify and block suspicious script execution.
Oracle has released its quarterly Critical Patch Update (CPU) for October 2025, addressing 374 security vulnerabilities across a wide range of its product families. The high volume of patches underscores the significant attack surface of Oracle products within enterprise environments. Several vulnerabilities can be exploited remotely without authentication.
Business impact
Failure to apply these patches could expose organizations to a variety of attacks, including remote code execution, data theft, and denial of service, depending on the specific products and vulnerabilities. This affects databases, middleware, and business applications critical to operations.
Recommended action
Review the Oracle October 2025 CPU and prioritize patching based on asset criticality, exposure, and the CVSS scores of the vulnerabilities. Focus first on internet-facing systems and critical database servers.
The Russian-backed threat group Coldriver has demonstrated significant operational agility by developing and deploying three new malware families just five days after Google researchers exposed its 'LostKeys' credential-stealing malware in May. This rapid redevelopment indicates the group is well-resourced, resilient, and undeterred by public disclosure.
Business impact
Coldriver's focus on credential theft poses a high risk of business email compromise, espionage, and initial access for further network intrusion. Their ability to quickly adapt their toolset means that static, signature-based defenses are likely to be ineffective.
Recommended action
Security teams should focus on behavioral-based detections and robust multi-factor authentication (MFA) to mitigate credential theft. Monitor for new and unusual malware families and update threat intelligence feeds to include indicators associated with Coldriver's new tools.
The recent data breach at FinWise serves as a stark reminder that insider threats can bypass many perimeter defenses. The incident underscores the critical role of data-centric security controls, demonstrating that encryption is often the last effective line of defense when an authorized user becomes a malicious actor.
Business impact
Data breaches caused by insiders can be particularly damaging as they often involve large volumes of sensitive, centrally-located data. This can lead to severe regulatory fines, loss of intellectual property, and erosion of customer trust.
Recommended action
Review and strengthen data-at-rest and data-in-transit encryption policies. Implement robust key management and access control solutions to ensure that even users with legitimate access cannot exfiltrate usable sensitive data. Employ user and entity behavior analytics (UEBA) to detect anomalous internal activity.
The Microsoft Digital Defense Report 2025 highlights a significant shift in the threat landscape, with a surge in financially motivated attacks alongside persistent nation-state threats. The report urges CISOs to move beyond traditional defense and focus on building cyber resilience, emphasizing the need for integrated security platforms, rapid response capabilities, and proactive threat hunting to manage an increasingly complex risk environment.
As cloud environments expand, the proliferation of machine identities and static secrets (API keys, tokens, passwords) has become a major security risk. Enterprises are increasingly shifting towards managed identity systems that eliminate static credentials, citing dramatic productivity and security gains. This trend addresses the growing problem of 'secrets sprawl' and reduces the risk of compromise from leaked or poorly managed credentials.
A Vanson Bourne survey of 1,100 IT and security professionals reveals that 76% of organizations are struggling to defend against cyberattacks that are increasing in volume and sophistication, partly driven by adversaries' use of AI. This data point underscores the immense pressure on security teams and highlights a growing gap between attacker capabilities and defender resources, necessitating a strategic focus on automation and force-multiplication tools.
Spotlight Rationale: Today's critical threats, including the Adobe Commerce exploit ([CVE-2025-54236](https://nvd.nist.gov/vuln/detail/CVE-2025-54236)) and the ToolShell SharePoint attacks, highlight the vulnerability of public-facing applications and APIs to automated exploitation. Traditional perimeter defenses like WAFs are often insufficient as they cannot validate the identity of the client making the request.
Platform Focus: Approov & Cloudflare API Security Integration
The integration of Approov with Cloudflare provides a powerful defense against API abuse by implementing mobile app and client attestation. While Cloudflare's API Shield and WAF block malicious traffic at the edge, Approov ensures that requests originate from a genuine, untampered version of your mobile app. This creates a zero-trust model for APIs, effectively blocking automated scripts and compromised clients from exploiting vulnerabilities like the Adobe Commerce REST API flaw, even if they have valid credentials.
Actionable Platform Guidance: Implement a Cloudflare Worker that intercepts API requests. The worker should validate the Approov token present in the request header before forwarding the request to the origin server. If the token is missing or invalid, the request is blocked at the edge, preventing malicious traffic from ever reaching the vulnerable application.
// Example Cloudflare Worker to validate Approov tokens
// This code should be deployed to the API route in Cloudflare.
const approovSecret = "YOUR_APPROOV_BASE64_SECRET";
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
const approovToken = request.headers.get('Approov-Token');
if (!approovToken) {
return new Response('Approov token missing', { status: 401 });
}
try {
// The Approov library for Cloudflare Workers would handle verification
// This is a conceptual representation
const decodedToken = await verifyApproovToken(approovToken, approovSecret);
// If token is valid, forward the request to the origin
return fetch(request);
} catch (error) {
// If token is invalid, block the request
return new Response('Invalid Approov token', { status: 403 });
}
}
// Placeholder for the actual token verification logic
async function verifyApproovToken(token, secret) {
// In a real scenario, you would use a JWT library to verify the token signature and claims
console.log("Verifying token...");
if (token === "valid-token-for-testing") return { valid: true };
throw new Error("Token validation failed");
}
2. YARA Rule for Adobe Commerce Exploit CVE-2025-54236
rule Detect_Adobe_Commerce_Exploit_CVE_2025_54236 {
meta:
description = "Detects web log artifacts associated with attempts to exploit Adobe Commerce CVE-2025-54236 via REST API."
author = "Threat Rundown"
date = "2025-10-23"
reference = "https://securityaffairs.com/?p=183754"
severity = "high"
tlp = "white"
strings:
// Look for requests to sensitive customer or integration endpoints without proper auth context
$api1 = "/rest/V1/customers/me" ascii wide
$api2 = "/rest/V1/integration/admin/token" ascii wide
$api3 = "/rest/all/V1/customers/" ascii wide
$method = "POST /"
$ua1 = "python-requests"
$ua2 = "Go-http-client"
condition:
$method and any of ($api*) and any of ($ua*)
}
index=web sourcetype="web_access" uri_path IN ("/rest/V1/customers/me", "/rest/V1/integration/admin/token", "/rest/V1/customers/*")
| stats count as request_count, dc(uri_path) as distinct_endpoints, values(user_agent) as user_agents by src_ip
| eval risk_score=case(
request_count > 50 AND distinct_endpoints > 2, 100, /* High confidence: Scanning/exploitation */
request_count > 10, 50, /* Medium confidence: Suspicious activity */
1==1, 25)
| where risk_score >= 50
| table src_ip, request_count, distinct_endpoints, user_agents, risk_score
| sort -risk_score
4. PowerShell Script β Scan SharePoint Directories for Potential Web Shells (ToolShell IOC)
<#
.SYNOPSIS
Scans SharePoint web application directories for suspicious file types (potential web shells).
.DESCRIPTION
This script is intended for hunting activities related to the ToolShell campaign. It searches for files with common web shell extensions in default SharePoint web directories. It should be run with administrative privileges on a SharePoint server.
#>
$sharepointPaths = @(
"C:\inetpub\wwwroot\wss\VirtualDirectories\*",
"C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\*"
# Add other relevant SharePoint directories as needed
)
$suspiciousExtensions = @(".aspx", ".ashx", ".asmx", ".php", ".jsp")
Write-Host "[INFO] Starting scan for potential web shells..." -ForegroundColor Yellow
foreach ($path in $sharepointPaths) {
$resolvedPaths = Resolve-Path $path -ErrorAction SilentlyContinue
if ($resolvedPaths) {
foreach ($resolvedPath in $resolvedPaths) {
Write-Host "[INFO] Scanning directory: $($resolvedPath.Path)"
Get-ChildItem -Path $resolvedPath.Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.PSIsContainer -eq $false -and $suspiciousExtensions -contains $_.Extension } | ForEach-Object {
Write-Host "[ALERT] Potential web shell found: $($_.FullName) | Last Modified: $($_.LastWriteTime)" -ForegroundColor Red
}
}
}
}
Write-Host "[INFO] Scan complete." -ForegroundColor Green
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT