Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287
We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287
https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287/32440
BADCANDY Webshell Implant Deployed via
The Australian Signals Directorate warns that they still see Cisco IOS XE devices not patches for CVE-2023-20198. A threat actor is now using this vulnerability to deploy the BADCANDY implant for persistent access
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
Improvements to Open VSX Security
In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident.
https://blogs.eclipse.org/post/mika l-barbero/open-vsx-security-update-october-2025

X-Request-Purpose: Identifying "research" and bug bounty related scans?
Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans
https://isc.sans.edu/diary/X-Request-Purpose%3A%20Identifying%20%22research%22%20and%20bug%20bounty%20related%20scans%3F/32436
Proton Breach Observatory
Proton opened up its breach observatory. This website will collect information about breaches affecting companies that have not yet made the breach public.
https://proton.me/blog/introducing-breach-observatory
Microsoft Exchange Server Security Best Practices
A new document published by a collaboration of national cyber security agencies summarizes steps that should be taken to harden Exchange Server.
https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d
MOVEit Vulnerability
Progress published an advisory for its file transfer program MOVEIt . This software has had heavily exploited vulnerabilities in the past.
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025

How to Collect Memory-Only Filesystems on Linux Systems
Getting forensically sound copies of memory-only file systems on Linux can be tricky, as tools like dd do not work.
https://isc.sans.edu/diary/How%20to%20collect%20memory-only%20filesystems%20on%20Linux%20systems/32432
Microsoft Azure Front Door Outage
Today, Microsoft s Azure Front Door service failed, leading to users not being able to authenticate to various Azure-related services.
https://azure.status.microsoft/en-us/status
Docker-Compose Vulnerability
A vulnerability in docker-compose may be used to trick users into creating files outside the docker-compose directory
https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q

Phishing with Invisible Characters in the Subject Line
Phishing emails use invisible UTF-8 encoded characters to break up keywords used to detect phishing (or spam). This is aided by mail clients not rendering some characters that should be rendered.
https://isc.sans.edu/diary/A%20phishing%20with%20invisible%20characters%20in%20the%20subject%20line/32428
Apache Tomcat PUT Directory Traversal
Apache released an update to Tomcat fixing a directory traversal vulnerability in how the PUT method is used. Exploits could upload arbitrary files, leading to remote code execution.
https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
BIND9 DNS Spoofing Vulnerability
A PoC exploit is now available for the recently patched BIND9 spoofing vulnerability
https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918

Bytes over DNS
Didiear investigated which bytes may be transmitted as part of a hostname in DNS packets, depending on the client resolver and recursive resolver constraints
https://isc.sans.edu/diary/Bytes%20over%20DNS/32420
Unifi Access Vulnerability
Unifi fixed a critical vulnerability in it s Access product
https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
OpenAI Atlas Omnibox Prompt Injection
OpenAI s latest browser can be jailbroken by inserting prompts in URLs
https://neuraltrust.ai/blog/openai-atlas-omnibox-prompt-injection

Bilingual Phishing for Cloud Credentials
Guy observed identical phishing messages in French and English attempting to phish cloud credentials
https://isc.sans.edu/diary/Phishing%20Cloud%20Account%20for%20Information/32416
Kaitai Struct WebIDE
The binary file analysis tool Kaitai Struct is now available in a web only version
https://isc.sans.edu/diary/Kaitai%20Struct%20WebIDE/32422
WSUS Emergency Update
Microsoft released an emergency patch for WSUS to fix a currently exploited critical vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Network Security Devices Endanger Orgs with 90s-era Flaws
Attackers increasingly use simple-to-exploit network security device vulnerabilities to compromise organizations.
https://www.csoonline.com/article/4074945/network-security-devices-endanger-orgs-with-90s-era-flaws.html

Infostealer Targeting Android Devices
This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram.
https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414
Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts.
https://sansec.io/research/sessionreaper-exploitation
Patch for BIND and unbound nameservers CVE-2025-40780
The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator.
https://kb.isc.org/docs/cve-2025-40780
WSUS Exploit Released CVE-2025-59287
Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability
https://hawktrace.com/blog/CVE-2025-59287

webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant?
Our honeypots detected attacks that appear to exploit CVE-2025-34033 or a similar vulnerability in the Blue Angle Software Suite.
https://isc.sans.edu/diary/webctrlcgiBlue+Angel+Software+Suite+Exploit+Attempts+Maybe+CVE202534033+Variant/32410
Oracle Critical Patch Update
Oracle released its quarterly critical patch update. The update includes patches for 374 vulnerabilities across all of Oracle s products. There are nine more patches for Oracle s e-Business Suite.
https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixEBS
Rust TAR Library Vulnerability
A vulnerability in the popular, but no longer maintained, async-tar vulnerability could lead to arbitrary code execution
https://edera.dev/stories/tarmageddon

What time is it? Accuracy of pool.ntp.org.
How accurate and reliable is pool.ntp.org? Turns out it is very good!
https://isc.sans.edu/diary/What%20time%20is%20it%3F%20Accuracy%20of%20pool.ntp.org./32390
Xubuntu Compromise
The Xubuntu website was compromised last weekend and served malware
https://floss.social/@bluesabre/115401767635718361
Squid Proxy Vulnerability
The Squid team fixed an information disclosure vulnerabilty that may leak authentication credentials.
https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr
Lanscope Endpoint Manager Vulnerablity
https://jvn.jp/en/jp/JVN86318557/index.html

Using Syscall() for Obfuscation/Fileless Activity
Fileless malware written in Python can uses syscall() to create file descriptors in memory, evading signatures.
https://isc.sans.edu/diary/Using%20Syscall%28%29%20for%20Obfuscation%20Fileless%20Activity/32384
AWS Outages
AWS has had issues most of the day on Monday, affecting numerous services.
https://health.aws.amazon.com/health/status
Time Server Hack
China reports a compromise of its time standard servers.
https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html