Threat Advisories

Ivanti has released urgent patches for a critical code execution vulnerability in its Endpoint Manager (EPM) platform, tracked as CVE‑2025‑10573 (CVSS 9.6). The flaw allows unauthenticated, remote attackers to perform low-complexity cross-site scripting (XSS) attacks that require minimal user interaction, potentially compromising administrative sessions and leading to code execution. 

Fortinet has disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO feature—affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. An attacker could gain unfettered administrative access using crafted SAML assertions when FortiCloud SSO is enabled. 

Two critical vulnerabilities have been disclosed in React Server Components (RSC) and Next.js App Router, enabling unauthenticated remote code execution (RCE). These flaws stem from unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary JavaScript code on the server. 

Cyber security analysts from Group-IB and UKUK have identified a continuing and expanding cyber-espionage operation run by the threat actor known as Bloody Wolf. Active since at least late 2023, the group has steadily evolved its methods while extending its reach across Central Asia. Their activity demonstrates a shift toward low-cost, legitimate remote-administration tools delivered through carefully crafted social-engineering campaigns. 

Scattered Lapsus$ Hunters group appears to be targeting Zendesk users in a new phishing campaign. 

Sha1-Hulud 2.0 is an aggressive evolution of the September 2025 Shai-Hulud npm supply chain attack. This second wave introduces preinstall-phase execution, enabling malware to run automatically during dependency installation, bypassing traditional static code scans. The campaign leverages compromised maintainer accounts to publish trojanized npm packages, impacting major projects like Zapier, ENS Domains, PostHog, and Postman 

SolarWinds has issued updates to address three critical vulnerabilities in its Serv-U file transfer software. If left unpatched, these flaws could allow an attacker with administrator-level access to execute arbitrary code on the underlying server. 

Summary (TL;DR) 
A Fortinet FortiWeb vulnerability is being actively exploited in the wild to create administrative accounts and gain persistent access to Internet-exposed FortiWeb appliances. Public proof-of-concept / exploit activity and weaponized code have appeared, and multiple monitoring/honeypot teams report exploitation since early November 2025. Exploitation yields full administrative control of the appliance (persistence, config tampering, credential access, logging disruption). Treat exposed FortiWeb management interfaces as high priority (critical) until patched or isolated. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a heightened alert after confirming active exploitation of a critical security flaw impacting WatchGuard Firebox firewalls. The vulnerability, tracked as CVE-2025-9242 with a CVSS score of 9.3, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling its urgent priority for remediation. 

LANDFALL is a previously undocumented Android spyware family observed targeting Samsung Galaxy devices via malformed DNG (Digital Negative) image files. The campaign exploited CVE-2025-21042, a zero-day in Samsung’s image-processing library, to achieve remote code execution—likely with a zero-click path when images were received over WhatsApp. Activity appears to have begun by July 2024 and continued into early 2025, predating Samsung’s April 2025 patch. Once resident, LANDFALL enabled full-spectrum surveillance, including microphone recording, location tracking, and exfiltration of photos, contacts, call logs and other device data. Targeting and infrastructure suggest a Middle East and North Africa focus. Attribution remains open; overlaps in tradecraft point toward commercial spyware ecosystems, but no vendor link is conclusive.