Cybersecurity News Weekly Newsletter – Fortinet, Chrome 0-Day Flaws, Cloudflare Outage and Salesforce Gainsight Breach

Welcome to this week’s edition of the Cybersecurity News Weekly Newsletter, where we analyze the critical incidents defining the current threat landscape.

If this week has taught us anything, it is that the stability of our digital infrastructure is just as volatile as the security of the software running upon it.

We are witnessing a multi-front battle where availability concerns are colliding with critical vulnerability management. The massive Cloudflare outage served as a stark reminder of the internet’s centralized fragility, disrupting global operations and forcing organizations to re-evaluate their resilience strategies against single points of failure in the cloud ecosystem.

However, while network reliability faltered, threat actors wasted no time exploiting software weaknesses. The disclosure of new Chrome zero-day flaws has triggered yet another urgent patching race, highlighting the relentless targeting of browser-based entry points. Simultaneously, enterprise perimeters are under siege as critical vulnerabilities in Fortinet appliances continue to surface, offering adversaries potential avenues for remote compromise if left unmitigated.

Perhaps the most complex narrative this week involves the Salesforce and Gainsight breach. This incident reinforces the treacherous nature of modern supply chain security, demonstrating how trusted third-party integrations can become high-value vectors for data exfiltration.

In this issue, we dissect these events, providing the technical context, indicators of compromise, and mitigation steps necessary to secure your environment against these evolving risks.

Vulnerabilities

Fortinet FortiWeb 0‑Day (CVE‑2025‑58034)

Fortinet disclosed a command injection flaw in FortiWeb (CWE‑78) that lets authenticated attackers execute arbitrary OS commands via crafted HTTP requests or CLI, gaining system‑level privileges and potentially pivoting deeper into protected networks. The bug affects FortiWeb 8.0 (up to 8.0.1), 7.6 (up to 7.6.5), 7.4 (up to 7.4.10), 7.2 (up to 7.2.11), and 7.0 (up to 7.0.11), with exploitation observed since early October, including PoC circulation and creation of rogue admin accounts on internet‑facing panels. Fortinet urges upgrading to 8.0.2, 7.6.6, 7.4.11, 7.2.12, or 7.0.12, tightening exposure of management interfaces, and auditing admin users for unauthorized additions.​

Read more: https://cybersecuritynews.com/fortiweb-0-day-code-execution-vulnerability/

XWiki RCE Exploited in the Wild (CVE‑2025‑24893)

A critical RCE in XWiki’s SolrSearch endpoint is being heavily exploited to deploy botnets, coin miners, and persistent access, with multiple independent threat actors now abusing Groovy scripting to download and run arbitrary payloads. CISA added CVE‑2025‑24893 to the KEV catalog just two days after initial disclosure, while canary systems and VulnCheck observed rapid growth in scanning, reverse shells, and multi‑stage infection chains from diverse global IPs. Defenders should urgently patch XWiki, monitor SolrSearch requests, watch for suspicious outbound connections or mining activity, and restrict internet exposure and segment networks to shrink the attack surface.​

Read more: https://cybersecuritynews.com/xwiki-vulnerability-exploited-in-the-wild/

Chrome V8 Type Confusion Zero‑Day (CVE‑2025‑13223)

Google pushed an emergency Chrome Stable update (142.0.7444.175 for Windows/Linux and 142.0.7444.176 for macOS) to fix two high‑severity type confusion bugs in the V8 engine, with CVE‑2025‑13223 already exploited in the wild. Successful exploitation can enable remote code execution, sandbox escape, data theft, or malware delivery without user interaction, and Google’s TAG involvement suggests potential links to APT‑level operators. With over 65% of global browsers running Chrome, Google urges users to enable auto‑updates and avoid risky links as fuzzing tools like Big Sleep and AddressSanitizer continue to surface such memory corruption issues.

Read more: https://cybersecuritynews.com/chrome-type-confusion-zero-day/

Imunify AI‑Bolit Arbitrary Code Execution

A serious flaw in the AI‑Bolit component of Imunify products allowed crafted files or database entries to trigger malicious PHP execution as root via unsafe deobfuscation logic and unfiltered input. Specifically, deobfuscateDeltaOrd and deobfuscateEvalHexFunc passed attacker‑controlled strings into Helpers::executeWrapper(), enabling arbitrary function calls and privilege escalation if an adversary could plant payloads on the scanned server. Imunify silently shipped a fix on October 23, 2025, reports no in‑the‑wild exploitation, and advises users to ensure AI‑Bolit is updated and automatic updates remain enabled.​

Read more: https://cybersecuritynews.com/imunify-ai-bolit-vulnerability/

SolarWinds Serv‑U RCE Chain (CVE‑2025‑40547/40548/40549)

SolarWinds patched three critical Serv‑U vulnerabilities in version 15.5.3 that allow admins to escalate into arbitrary code execution via logic abuse, broken access control, and path restriction bypass. While exploitation requires administrative access, Linux deployments face critical CVSS 9.1 impact due to typical service privileges, and legacy Serv‑U releases are now end‑of‑life, heightening operational risk. Upgrading to 15.5.3 or later brings both the CVE fixes and added defenses such as ED25519 key support, stronger IP blocking, account lockouts, HSTS, X‑Forwarded‑For protections, and minimum password policies.

Read more: https://cybersecuritynews.com/solarwinds-serv-u-vulnerabilities/

Twonky Server Authentication Bypass (CVE‑2025‑13315 & CVE‑2025‑13316)

Rapid7 disclosed two critical Twonky Server flaws in version 8.5.2 that let unauthenticated attackers gain full admin access by abusing an alternate API route and hardcoded Blowfish keys. Using the /nmc/rpc/ prefix, an adversary can hit the log_getfile endpoint without auth, extract encrypted admin credentials, and then decrypt them using twelve static keys embedded in the binary. With the vendor indicating no patches are forthcoming, organizations should treat 8.5.2 as permanently vulnerable, restrict Twonky access to trusted IPs, rotate credentials, and leverage Rapid7’s Metasploit and detection content to identify exposed systems.

Read more: https://cybersecuritynews.com/twonky-server-vulnerabilities/

Windows Graphics JPEG RCE (CVE‑2025‑50165)

A critical RCE in the Windows Graphics Component (windowscodecs.dll) lets attackers weaponize crafted JPEG images to seize control of systems with a CVSS score of 9.8 and no user interaction beyond opening or previewing a file. Zscaler ThreatLabz discovered the issue via targeted fuzzing of the Windows Imaging Component, tracing an untrusted pointer dereference in JPEG encode/decode paths that allows heap spraying, ROP chains, and Control Flow Guard bypass on 64‑bit systems. Microsoft patched affected Windows Server 2025 and Windows 11 24H2 builds on August 12, 2025, and admins are urged to prioritize those updates, limit automatic image previews, sandbox untrusted content, and harden high‑value assets before widespread exploitation emerges.​

Read more: https://cybersecuritynews.com/critical-windows-graphics-vulnerability/

Tools

TaskHound: New Windows Scheduled Task Security Tool

A new open-source security tool called TaskHound has been released to help penetration testers and security professionals identify high-risk Windows scheduled tasks that could expose systems to attacks. The tool automatically discovers tasks running with privileged accounts and stored credentials, making it a valuable addition to security assessments. TaskHound stands out by automating the discovery of dangerous scheduled tasks across Windows networks, scanning remote machines over SMB and parsing task XML files to identify security weaknesses. The tool integrates with BloodHound for correlating scheduled tasks with attack path data and supports both modern BloodHound Community Edition and legacy formats.​

Read more: https://cybersecuritynews.com/taskhound-windows-scheduled-task-tool/

Microsoft Threat Intelligence Briefing Agent Now in Defender Portal

Microsoft has unveiled significant enhancements to threat intelligence at Ignite 2025, bringing the Threat Intelligence Briefing Agent directly into the Defender portal. This integration marks a pivotal shift in how security teams approach cyber defense, moving from reactive responses to proactive threat anticipation. The tool delivers daily customized briefings that combine Microsoft’s global threat intelligence with organization-specific insights, saving analysts countless hours previously spent manually gathering information from multiple sources. Microsoft has also expanded access to its comprehensive threat intelligence library through Threat Analytics, now available to both Defender XDR and Sentinel-only customers in Public Preview at no additional cost.​

Read more: https://cybersecuritynews.com/microsoft-threat-intelligence-with-defender/

Sysmon Coming Natively to Windows

Microsoft is bringing native Sysmon functionality directly into Windows, eliminating the need for manual deployment and separate downloads. Starting next year, Windows 11 and Windows Server 2025 will include System Monitor capabilities, transforming how security teams detect threats and investigate incidents. For years, Sysmon has been the go-to tool for IT administrators, security professionals, and threat hunters seeking deep visibility into Windows systems. The native integration solves critical pain points by providing instant threat visibility with automated compliance through standard Windows Update and official customer service support. Key detection capabilities include process creation monitoring, network connection tracking, credential access detection, file system monitoring, and WMI persistence tracking.​

Read more: https://cybersecuritynews.com/sysmon-tool-windows/

Cyberattack

Iranian SpearSpecter espionage campaign

Iran’s IRGC‑linked operators, tracked as APT42/Mint Sandstorm, are targeting senior government and defense officials with the “SpearSpecter” campaign, using fake conference invites and trust-building WhatsApp conversations to deliver malware. The attack chain abuses the Windows search‑ms protocol to access a malicious WebDAV share, dropping the in‑memory TAMECAT PowerShell backdoor to steal credentials, capture screenshots, and exfiltrate data via Telegram and Discord while evading detection.​

Read more: https://cybersecuritynews.com/iranian-spearspecter-attacking-high-value-officials/

Record 15.7 Tbps DDoS against Azure

Microsoft Azure successfully mitigated a record-breaking 15.72 Tbps DDoS attack targeting a customer in Australia, orchestrated by the Aisuru botnet which mobilized over 500,000 compromised IoT devices. The attack, which peaked at 3.64 billion packets per second, utilized UDP floods and randomized ports, but was neutralized by Azure’s global scrubbing centers without causing service downtime, continuing a trend of escalating hyper-scale attacks.​

Read more: https://cybersecuritynews.com/ddos-attack-azure-network/

Lazarus “ScoringMathTea” RAT targets UAV firms

The North Korean Lazarus APT group has deployed a new remote access trojan dubbed “ScoringMathTea” to target defense industrial base entities, specifically those involved in UAV production. This sophisticated C++ malware employs advanced evasion techniques, including loading payloads directly into memory to avoid disk detection and using a custom C2 communication protocol that mimics legitimate traffic to maintain persistent access for espionage.​

Read more: https://cybersecuritynews.com/lazarus-apt-group-new-scoringmathtea-rat/

Massive bulletproof hosting takedown

Dutch authorities have seized approximately 250 servers backing thousands of virtual domains in a major operation against a “bulletproof” hosting provider used extensively for ransomware, phishing, and command-and-control infrastructure. The takedown disrupts a critical logistical node for cybercriminals who relied on the host’s refusal to cooperate with law enforcement, potentially yielding significant intelligence on multiple threat actor groups.

Read more: https://cybersecuritynews.com/authorities-seized-thousands-of-servers/

Malicious “free VPN” Chrome extensions with 9M installs

A cluster of malicious Chrome extensions marketed as “Free Unlimited VPN” tools has been removed after accumulating 9 million installs while secretly turning user browsers into a proxy botnet. These extensions intercepted navigation events and injected malicious JavaScript to monetize user traffic, highlighting the continued risk of granting broad permissions to unverified browser add-ons.​

Read more: https://cybersecuritynews.com/malicious-free-vpn-extension-with-9-million-installs/

Operation WrtHug hijacks ASUS routers

Operation WrtHug has compromised thousands of ASUS routers globally by exploiting a chain of vulnerabilities in older firmware versions to install a custom botnet. The attackers leverage these compromised edge devices as residential proxies to mask malicious traffic and launch further attacks, emphasizing the critical need for users to replace end-of-life hardware and apply firmware updates.

Read more: https://cybersecuritynews.com/wrthug-asus-routers/

Active RCE exploitation in 7‑Zip

Attackers are actively exploiting a remote code execution vulnerability (CVE-2025-11001) in the popular 7-Zip file archiver, which allows arbitrary code execution via malicious archives. The flaw stems from improper handling of symlinks, and with proof-of-concept code public, organizations are urged to update to the latest version (25.00+) immediately to prevent compromise via email or web downloads.

Read more: https://cybersecuritynews.com/7-zip-rce-vulnerability-exploited/

Brute-force wave on Palo Alto GlobalProtect

Cybersecurity researchers have detected a massive spike in brute-force attacks targeting Palo Alto Networks GlobalProtect VPN portals, aiming to breach enterprise networks via credential stuffing. The campaign focuses on identifying valid user accounts for initial access, prompting defenders to enforce multi-factor authentication (MFA) and monitor for anomalous login failures on their VPN gateways.

Read more: https://cybersecuritynews.com/palo-alto-vpn-under-attack/

Threats

Outlook NotDoor Backdoor Detection Techniques – APT28/Fancy Bear-linked malware exploits Outlook macros for persistence and data theft, using DLL sideloading and registry modifications to establish command-and-control communications while evading detection.​

Read more: https://cybersecuritynews.com/techniques-to-detect-outlook-notdoor/

Yurei Ransomware Encryption Analysis – Go-based ransomware uses ChaCha20-Poly1305 and secp256k1-ECIES dual-layer encryption, targeting transportation, IT, marketing, and food industries in Sri Lanka and Nigeria with case-by-case ransom demands.​

Read more: https://cybersecuritynews.com/yurei-ransomware-file-encryption/

Xanthorox AI Generates Unrestricted Malware – Darknet AI tool built on Google’s Gemini Pro model generates ransomware and malicious code without safety restrictions, charging $300 monthly for basic access and $2,500 annually for advanced features.​

Read more: https://cybersecuritynews.com/threat-actors-can-use-xanthorox-ai-tool/

UNC1549 Iranian Group Deploys TWOSTROKE Backdoor – Iranian-backed threat group targets aerospace, aviation, and defense sectors with custom backdoors featuring unique hashes per deployment, exploiting DLL search order hijacking in FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.​

Read more: https://cybersecuritynews.com/unc1549-hackers-with-custom-tools/

Remcos RAT Command-and-Control Network Mapped – Over 150 active Remcos C2 servers tracked worldwide, primarily operating on port 2404 with additional activity on ports 5000, 5060, 5061, 8268, and 8808, hosted on COLOCROSSING, RAILNET, and CONTABO infrastructure.

Read more: https://cybersecuritynews.com/remcos-rat-c2-activity-mapped/

WhatsApp Screen-Sharing Scam Exploits Users – Social engineering attack impersonates bank representatives and Meta support to trick users into sharing screens during video calls, leading to account takeovers and financial losses including one HK$5.5 million case in Hong Kong.

Read more: https://cybersecuritynews.com/whatsapp-screen-sharing-scam/

npm Malware Uses Adspect Cloaking Technology – Threat actor dino_reborn created seven malicious npm packages with fingerprinting systems that distinguish victims from researchers, displaying fake CAPTCHAs to victims while showing blank pages to analysts.

Read more: https://cybersecuritynews.com/new-npm-malware-campaign/

Nova Stealer Swaps macOS Crypto Applications – Bash-based malware replaces legitimate Ledger Live, Trezor Suite, and Exodus applications with fake versions that steal seed phrases in real-time, using LaunchAgent persistence and detached screen sessions.

Read more: https://cybersecuritynews.com/new-nova-stealer-attacking-macos-users/

Xillen Stealer v4/v5 Evades AI Detection – Python-based cross-platform stealer targets 100+ browsers and 70+ cryptocurrency wallets, implementing AIEvasionEngine with behavioral mimicking, polymorphic code transformation, and P2P C2 over blockchain and Tor networks.

Read more: https://cybersecuritynews.com/xillen-stealer-with-new-advanced-features/

Data Breach

Princeton University donor database breach

Attackers accessed a Princeton University Advancement database on November 10, 2025, exposing personal details of alumni and donors, though financial data and Social Security numbers were not compromised.​

Read more: https://cybersecuritynews.com/princeton-university-data-breach/

Eurofiber France ticketing platform compromise

A vulnerability in Eurofiber France’s ticket management system allowed hackers to steal customer data on November 13, 2025, but banking information remained secure and services continued without interruption.​

Read more: https://cybersecuritynews.com/eurofiber-data-breach/

DoorDash social engineering–driven data breach

DoorDash confirmed that a social engineering attack on an employee exposed user names, addresses, and phone numbers, though no financial or government ID information was accessed.

Read more: https://cybersecuritynews.com/doordash-confirms-data-breach/

WhatsApp contact discovery flaw exposes 3.5 billion numbers

Researchers exploited a weakness in WhatsApp’s contact discovery feature to enumerate 3.5 billion active phone numbers and scrape public profile data across 245 countries.​

Read more: https://cybersecuritynews.com/whatsapp-vulnerability-exposes-3-5-billion-users/

Salesforce–Gainsight OAuth Abuse

Salesforce warned that attackers are abusing compromised OAuth tokens from Gainsight applications to access customer data via trusted integrations, highlighting significant SaaS supply chain risks.​

Read more: https://cybersecuritynews.com/salesforce-gainsight-breach/

Tech News

Google to Penalize Battery-Draining Apps

Google is introducing strict battery efficiency standards for the Play Store starting March 1, 2026, utilizing a new “excessive partial wake locks” metric in Android vitals. Apps that hold wake locks for more than two cumulative hours in 5% of sessions over 28 days may face reduced visibility and warning labels to protect user device life.

Read more: https://cybersecuritynews.com/google-flag-apps-on-play-store/cybersecuritynews​

Cloudflare Global Outage Disrupts Major Platforms

A significant internal service degradation at Cloudflare on November 18, 2025, triggered widespread HTTP 500 errors and disrupted core services including the dashboard and API. The outage impacted millions of users across major platforms like X, ChatGPT, and Spotify, underscoring the fragility of centralized internet infrastructure.

Read more: https://cybersecuritynews.com/cloudflare-global-outage-breaks-internet/cybersecuritynews​

Microsoft Teams Adds False-Positive Reporting

Microsoft Teams is rolling out a feature that allows users to report messages they believe were incorrectly flagged as security threats, directly improving detection models. Organizations with Defender for Office 365 or Defender XDR can now centralize these user submissions in the Defender portal to refine AI threat classification.

Read more: https://cybersecuritynews.com/microsoft-teams-report-messages-feature/cybersecuritynews​

pi GPT Tool for Local AI Management

The newly launched pi GPT tool integrates OpenAI’s ChatGPT with Raspberry Pi devices, enabling users to manage and code on their devices via natural language prompts without cloud dependency. By using noBGP’s deterministic networking, it offers secure, local control for tasks like restarting servers or debugging scripts directly from chat.

Read more: https://cybersecuritynews.com/pi-gpt-tool-for-raspberry-pi/cybersecuritynews​

Windows 11 Hides Crash Errors on Public Displays

Microsoft introduced a new Windows 11 mode for public-facing screens that suppresses the Blue Screen of Death (BSOD) and error dialogs to prevent public embarrassment. Critical errors are displayed for only 15 seconds for diagnostics before the screen turns black, requiring manual interaction to reactivate.

Read more: https://cybersecuritynews.com/windows-11-hide-crash-errors/

Windows 11 24H2 Update Breaks Shell Components

Microsoft confirmed that the Windows 11 version 24H2 update (KB5062553) causes critical failures in the Start Menu, Taskbar, and Settings due to a race condition in XAML package registration. The issue, prominent in VDI environments, requires manual PowerShell re-registration of dependency packages or synchronous logon scripts to resolve.

Read more: https://cybersecuritynews.com/windows-11-24h2-features-broken/