TikTok Videos Promoting Malware InstallationTikTok Videos Promoting Malware Installation
Tiktok videos advertising ways to obtain software like Photoshop for free will instead trick users into downloading
https://isc.sans.edu/diary/TikTok%20Videos%20Promoting%20Malware%20Installation/32380
Google Ads Advertise Malware Targeting MacOS Developers
Hunt.io discovered Google ads that pretend to advertise tools like Homebrew and password managers to spread malware
https://hunt.io/blog/macos-odyssey-amos-malware-campaign
Satellite Transmissions are often unencrypted
A large amount of satellite traffic is unencrypted and easily accessible to eavesdropping
https://satcom.sysnet.ucsd.edu

New DShield Support Slack Workspace
Due to an error on Salesforce s side, we had to create a new Slack Workspace for DShield support.
https://isc.sans.edu/diary/New%20DShield%20Support%20Slack/32376
Attackers Exploiting Recently Patched Cisco SNMP Flaw (CVE-2025-20352)
Trend Micro published details explaining how attackers took advantage of a recently patched Cisco SNMP Vulnerability
https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
Framework BIOS Backdoor
The mm command impleneted in Framework BIOS shells can be used to compromise a device pre-boot.
https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/
SANS.edu Research: Mark Stephens, Validating the Effectiveness of MITRE Engage and Active Defense
https://www.sans.edu/cyber-research/validating-effectiveness-mitre-engage-active-defense/

Clipboard Image Stealer
Xavier presents an infostealer in Python that steals images from the clipboard.
https://isc.sans.edu/diary/Clipboard%20Pictures%20Exfiltration%20in%20Python%20Infostealer/32372
F5 Compromise
F5 announced a wide-ranging compromise today. Source code and information about unpatched vulnerabilities were stolen.
https://my.f5.com/manage/s/article/K000157005 https://my.f5.com/manage/s/article/K000156572 https://my.f5.com/manage/s/article/K000154696
Adobe Updates
Adobe updated 12 different products yesterday.
https://helpx.adobe.com/security.html
SAP Patchday
Among the critical vulnerabilities patched in SAP s products are two deserialization vulnerabilities with a CVSS score of 10.0
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html
https://onapsis.com/blog/sap-security-patch-day-october-2025/

Microsoft Patch Tuesday
Microsoft not only released new patches, but also the last patches for Windows 10, Office 2016, Office 2019, Exchange 2016 and Exchange 2019.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368
Ivanti Advisory
Ivanti released an advisory with some mitigation steps users can take until the recently made public vulnerablities are patched.
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US
Fortinet Patches
https://fortiguard.fortinet.com/psirt/FG-IR-25-010
https://fortiguard.fortinet.com/psirt/FG-IR-24-361

Scans for ESAFENET CDG V5
We do see some increase in scans for the Chinese secure document management system, ESAFENET.
https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364
Investigating targeted payroll pirate attacks affecting US universities
Microsoft wrote about how payroll pirates redirect employee paychecks via phishing.
https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
Attacks against Edge via IE Mode
Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks.
https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/

New Oracle E-Business Suite Patches
Oracle released one more patch for the e-business suite. Oracle does not state if it is already exploited, but the timing of the patch suggests that it should be expedited.
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
Widespread Sonicwall SSLVPN Compromise
Huntress Labs observed the widespread compromise of the Sonicwall SSLVPN appliance.
https://www.huntress.com/blog/sonicwall-sslvpn-compromise
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371)
An unpatched vulnerability in the secure file sharing solutions Gladinet CentreStack and TrioFox is being exploited.
https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
Two 7-Zip Vulnerabilities CVE-2025-11002, CVE-2025-11001
7-Zip patched two vulnerabilities that may lead to arbitrary code execution
https://www.zerodayinitiative.com/advisories/ZDI-25-949/
https://www.zerodayinitiative.com/advisories/ZDI-25-950/

Building Better Defenses: RedTail Observations
Defending against attacks like RedTail is more then blocking IoCs, but instead one must focus on the techniques and tactics attackers use.
https://isc.sans.edu/diary/Guest+Diary+Building+Better+Defenses+RedTail+Observations+from+a+Honeypot/32312
Sonicwall: It wasn t the user s fault
Sonicwall admits to a breach resulting in the loss of user configurations stored in its cloud service
https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
Crowdstrike has Issues
Crowdstrike fixes two vulnerabilities in the Windows version of its Falcon sensor.
https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/
Interrogators: Attack Surface Mapping in an Agentic World
A SANS.edu master s degree student research paper by Michael Samson
https://isc.sans.edu/researchpapers/pdfs/michael_samson.pdf
keywords: ai; agentic; attack surface; crowdstrike; sonicwall; ivanti; zero day; initiative; redline

Polymorphic Python Malware
Xavier discovered self-modifying Python code on Virustotal. The remote access tool takes advantage of the inspect module to modify code on the fly.
https://isc.sans.edu/diary/Polymorphic%20Python%20Malware/32354
SSH ProxyCommand Vulnerability
A user cloning a git repository may be tricked into executing arbitrary code via the SSH proxycommand option.
https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
Framelink Figma MCP Server CVE-2025-53967
Framelink Figma s MCP server suffers from a remote code execution vulnerability.

FreePBX Exploit Attempts (CVE-2025-57819)
A FreePBX SQL injection vulnerability disclosed in August is being used to execute code on affected systems.
https://isc.sans.edu/diary/Exploit%20Against%20FreePBX%20%28CVE-2025-57819%29%20with%20code%20execution./32350
Disrupting Threats Targeting Microsoft Teams
Microsoft published a blog post outlining how to better secure Teams.
https://www.microsoft.com/en-us/security/blog/2025/10/07/disrupting-threats-targeting-microsoft-teams/
Kibana XSS Patch CVE-2025-25009
Elastic patched a stored XSS vulnerability in Kibana
https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449
QT SVG Vulnerabilities CVE-2025-10728, CVE-2025-10729,
The QT group fixed two vulnerabilities in the QT SVG module. One of the vulnerabilities may be used for code execution
https://www.qt.io/blog/security-advisory-uncontrolled-recursion-and-use-after-free-vulnerabilities-in-qt-svg-module-impact-qt

More Details About Oracle 0-Day
The exploit is now widely distributed and has been analyzed to show the nature of the underlying vulnerabilities.
https://isc.sans.edu/diary/Quick%20and%20Dirty%20Analysis%20of%20Possible%20Oracle%20E-Business%20Suite%20Exploit%20Script%20%28CVE-2025-61882%29%20%5BUPDATED%5B/32346
https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
Redis Vulnerability
Redis patched a ciritcal use after free vulnerability that could lead to arbitrary code execution.
https://redis.io/blog/security-advisory-cve-2025-49844/
GoAnywhere Bug Exploited
Microsoft is reporting about the exploitation of the recent GoAnywhere vulnerability
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/