Threat Advisories

Cyber security researchers have uncovered multiple malicious packages distributed through npm, PyPI, and RubyGems that secretly send stolen developer data to Discord channels. The attackers use Discord webhooks as a command-and-control (C2) mechanism, exploiting their simplicity and lack of authentication requirements. Since webhook URLs are “write-only,” defenders cannot easily review or delete the stolen data once it’s transmitted. 

CVE-2021-43226 is a local privilege-escalation vulnerability in the Microsoft Common Log File System (CLFS) driver that allows a local, authenticated attacker with standard user privileges to trigger a buffer-overflow in CLFS and obtain SYSTEM level code execution. CISA has confirmed evidence of active exploitation and placed the CVE in its KEV catalog. Organizations must prioritize patching and apply mitigations immediately. 

Redis has revealed a critical security flaw in its in-memory database software that carries the maximum possible severity rating, potentially allowing remote code execution in certain conditions. The vulnerability, identified as CVE-2025-49844 and nicknamed “RediShell,” has been assigned a CVSS score of 10.0. 

Oracle have released a new critical Advisory for a zero-day vulnerability, now tracked as “CVE-2025-61882” that is being actively exploited in the wild. This vulnerability, which affects the Oracle E-Business Suite has been assigned a CVSS 3.1 Base Score of 9.8 (CRITICAL). This allows an unauthenticated attacker with network access to compromise the system by enabling them to perform RCE (Remote Code Execution) on the affected host. 

A newly discovered Android banking trojan named Klopatra has infected more than 3,000 devices, with most cases observed in Spain and Italy. First identified by the Italian firm Cleafy in late August 2025, Klopatra is a sophisticated remote access trojan that leverages Hidden VNC to seize full control of compromised smartphones. It employs dynamic overlays to steal credentials and ultimately enables its operators to perform fraudulent financial transactions. 

Cisco has confirmed active exploitation of multiple vulnerabilities in the VPN/web services of Cisco Secure Firewall (ASA) and FTD. Threat actors chained a missing-authorization flaw with a separate web-service buffer overflow to achieve remote code execution and deploy persistent tooling. Government partners and national CERTs have supported the investigation and issued mitigations; CISA has published Emergency Directive ED 25-03 and added the exploited CVEs to its KEV catalog. 

Cloud security company Wiz has uncovered active exploitation attempts of a newly disclosed vulnerability in the Linux utility Pandoc, tracked as CVE-2025-51591 (CVSS score: 6.5). The flaw is a Server-Side Request Forgery (SSRF) issue, which allows attackers to exploit Pandoc’s handling of HTML documents containing <iframe> tags. Specifically, a crafted iframe can trick Pandoc into making unauthorized requests to sensitive internal resources such as the Amazon Web Services (AWS) Instance Metadata Service (IMDS).

Microsoft patched a critical token-validation vulnerability in Entra ID (formerly Azure Active Directory) — CVE-2025-55241 — that could have allowed attackers to impersonate any user, including Global Administrators, across virtually any tenant. The flaw, assigned a CVSS score of 10.0, was reported by researcher Dirk-jan Mollema on 14 July 2025 and addressed by Microsoft on 17 July 2025. Microsoft states there is no evidence the issue was exploited in the wild and that no customer action was required after the fix.

Google released security updates for Chrome to fix four vulnerabilities, including an actively exploited zero-day, CVE-2025-10585 — a type-confusion bug in the V8 JavaScript / WebAssembly engine that can lead to arbitrary code execution when a user visits a crafted webpage. Google’s Threat Analysis Group (TAG) reported the flaw on 16 September 2025 and confirmed an exploit exists in the wild. Technical details have been withheld to limit further abuse. 

Cyber security researchers have flagged a fresh software supply chain attack targeting the NPM (NPM  is one of the world's largest software registries, and the package manager for Node.js projects) registry that has affected more than 40 packages that belong to multiple maintainers.