End-of-Day report
Timeframe: Freitag 03-10-2025 18:00 - Montag 06-10-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Schwerwiegende Sicherheitslücke in Oracle E-Business Suite - aktiv ausgenutzt - Updates verfügbar
Oracle hat einen Security Alert zu einer schwerwiegenden Schwachstelle, CVE-2025-61882, in Oracle E-Business Suite veröffentlicht. Die Sicherheitslücke erlaubt es Angreifer:innen auf betroffenen Systemen ohne jedwede Authentifizierung Code auszuführen. Laut Oracle wird die Lücke bereits aktiv durch Bedrohungsakteure missbraucht.
https://www.cert.at/de/warnungen/2025/10/schwerwiegende-sicherheitslucke-in-oracle-e-business-suite-aktiv-ausgenutzt-updates-verfugbar
Hackers exploited Zimbra flaw as zero-day using iCalendar files
Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year.
https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/
XWorm malware resurfaces with ransomware module, over 35 plugins
New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year.
https://www.bleepingcomputer.com/news/security/xworm-malware-resurfaces-with-ransomware-module-over-35-plugins/
Scattered Lapsus$ Hunters Returns With Salesforce Leak Site
After claiming it would shut down, the cybercriminal collective reemerged and threatened to publish the stolen data of Salesforce customers by Oct. 10 if its demands are not met.
https://www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hunters-returns-salesforce-leak-site
Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads
The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.
https://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.html
Angreifer kopierten Kundendaten von Red-Hat-GitLab-Instanz
Beim Softwarehersteller Red Hat kam es zu einem IT-Sicherheitsvorfall. Die Angreifer geben an, 570 GB an Daten kopiert zu haben.
https://www.heise.de/news/Angreifer-kopierten-Kundendaten-von-Red-Hat-GitLab-Instanz-10712086.html
Datenleck bei Discord: Support-Dienstleister erfolgreich attackiert
Kriminelle konnten persönliche Daten von bestimmten Discord-Nutzern erbeuten. Diese könnten für Phishing-Attacken missbraucht werden.
https://www.heise.de/news/Datenleck-bei-Discord-Support-Dienstleister-erfolgreich-attackiert-10712155.html
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters.
https://www.greynoise.io/blog/palo-alto-scanning-surges
Vulnerabilities
Oracle Security Alert for CVE-2025-61882 - 4 October 2025
This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
Redis warns of critical flaw impacting thousands of instances
The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances.
https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/
ZDI-25-932: MLflow Weak Password Requirements Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-11200.
http://www.zerodayinitiative.com/advisories/ZDI-25-932/
ZDI-25-930: win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of win-cli-mcp-server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-11202.
http://www.zerodayinitiative.com/advisories/ZDI-25-930/
Security updates for Monday
Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, git, log4cxx, and openssl), Fedora (containernetworking-plugins, firebird, firefox, jupyterlab, mupdf, and thunderbird), Oracle (ipa), Red Hat (container-tools:rhel8, firefox, gnutls, kernel, kernel-rt, multiple packages, mysql, mysql:8.0, nginx, podman, and thunderbird), Slackware (fetchmail), SUSE (afterburn, chromium, firefox, haproxy, libvmtools-devel, logback, python311-Django, python311-Django4, and redis), and Ubuntu (linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-nvidia-tegra-igx, linux-oracle, mysql-8.0, poppler, and squid).
https://lwn.net/Articles/1040991/
Unzählige Sicherheitslücken in Dell PowerProtect Data Domain geschlossen
Stimmen die Voraussetzungen, können Angreifer Dell PowerProtect Data Domain attackieren und Systeme als Root kompromittieren. Sicherheitspatches stehen zum Download bereit.
https://heise.de/-10712169
Spiele-Engine Unity: Lücke bedroht Android, Linux, macOS und Windows
Die Laufzeitumgebung für die Spiele-Engine Unity steckt in diversen populären Spielen. Microsoft meldet nun eine schwerwiegende Sicherheitslücke darin, die Angreifern das Ausführen von Schadcode erlaubt. Bis zur Verfügbarkeit von Updates sollen Nutzerinnen und Nutzer betroffene Software deinstallieren, rät der Hersteller.
https://heise.de/-10713427
Multiple Vulnerabilities in Qsync Central
https://www.qnap.com/en-us/security-advisory/QSA-25-35