Greetings, Today we officially opened our Call for Tutorials for the AUSCERT2026 Conference, and we can’t wait to see the incredible submissions that come through. The standard rises every year, and we know 2026 will be no exception. Submissions close 10 November, so get in early! For details on tutorial categories and submission tips, head to our conference website. In case you missed it, we’ve also revealed our AUSCERT2026 theme: Game On! Step into the cyber arena where defenders are the most valuable players, tactics are everything, and every move matters. Game On! embodies the fast-paced, high-stakes nature of cyber security today where teamwork, quick thinking, and domain mastery are the keys to victory. With the threat landscape as our playing field, AUSCERT2026 challenges players to level up, unite under pressure, and face adversaries head-on. Featuring the International Cyber Championships, next year’s conference promises high-impact learning, fierce collaboration, and game-changing moments. Because in this arena, the stakes are real and it’s Game On! We look forward to welcoming you 19-22 May 2026 at The Star Gold Coast, Australia. Keep an eye out, registrations will open in January! AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more Date: 2025-10-20 Author: Bleeping Computer AWS outage has taken down millions of websites, including Amazon.com, Prime Video, Perplexity AI, Canva and more. The outage started approx 30 minutes ago and it's affecting consumers in all regions, including the United States and Europe. According to AWS Health page, Amazon is aware of major disruption affecting multiple services. Oracle Releases October 2025 Patches Date: 2025-10-21 Author: Security Week [AUSCERT has published security bulletins for these Oracle updates] Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication. There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws. CISA Adds Microsoft, Oracle Vulnerabilities To KEV Catalog Date: 2025-10-20 Author: The Cyber Express The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five CVEs to its Known Exploited Vulnerabilities (KEV) catalog today, including Microsoft, Apple and Oracle vulnerabilities. Hidden "Glassworm" malware spreads through infected VS Code extensions Date: 2025-10-21 Author: iTnews A new malware worm campaign has infected multiple Microsoft Visual Studio Code extensions using invisible Unicode characters to hide malicious code from both reviewers and security tools, security researchers say. The worm, named Glassworm, compromised seven extensions on the OpenVSX marketplace on October 17, reaching more than 10,700 downloads. Email Bombs Exploit Lax Authentication in Zendesk Date: 2025-10-17 Author: Krebs on Security Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder. ESB-2025.7610 – Atlassian Products: CVSS (Max): 10.0 14 high-severity vulnerabilities which have been fixed in new versions of Atlassian products. ASB-2025.0198 – Oracle Communications Applications: CVSS (Max): 9.8 This Critical Patch Update contains 64 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication. ESB-2025.7565 – Rockwell Automation 1783-NATR: CVSS (Max): 10.0 This upgrade patches vulnerabilities where successful exploitation could result in a denial-of-service, data modification, or in an attacker obtaining sensitive information. ESB-2025.7544 – Samba: CVSS (Max): 10.0 USN-7826-1 fixed vulnerabilities in Samba where an authenticated attacker could possibly use this vulnerability to obtain sensitive information. ESB-2025.7495 – Tenable Identity Exposure: CVSS (Max): 9.9 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. One of the third-party components (.NET) was found to contain vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, we have released a new episode of the Share Today, Save Tomorrow podcast, Episode 47: Building Cyber Resilience with Lucas from the AUSCERT Dev Team. Our host, Bek, chats with Lucas Rossdeutscher, one of AUSCERT’s senior software developers, for an engaging behind-the-scenes look at MSINs (Member Security Incident Notifications) – a personalised and vital security service that helps AUSCERT members stay ahead of emerging threats. Lucas offers practical advice on how members can make the most of this tool to strengthen their cyber resilience and streamline their incident response efforts. Listeners will also get to know the person behind the code, as Lucas shares stories from his half-marathon training journey, his love of coffee, and how his passion for cyber security developed over time. This episode is available now on Spotify and Apple Podcasts now! After nearly a decade, Windows 10 is now unsupported as of 14th October 2025, marking a major shift for millions of users and organisations still relying on the operating system. Despite running on over a third of the world’s PCs, Microsoft have now ceased providing security updates, leaving unpatched vulnerabilities that cybercriminals could exploit. Ondrej Kubovič from ESET (a global digital company) warned that continuing to use unsupported systems creates “a significantly larger attack surface,” exposing users to data theft, malware, and potential operational or reputational damage. He recommends that if upgrading isn’t immediately possible, organisations should implement strict security controls such as restricting user privileges, limiting exposed services, using VPNs, and enhancing monitoring and audits. Still, Kubovič stresses that these measures are only stopgaps. “Temporary fixes can buy you time, but they are not a substitute for a full upgrade,” he said. “Start planning your transition now to avoid unnecessary risks.” F5 releases BIG-IP patches for stolen security vulnerabilities Date: 2025-10-15 Author: Bleeping Computer [AUSCERT has published security bulletins for these F5 updates and an ASB-https://portal.auscert.org.au/bulletins/ASB-2025.0175] Cybersecurity company F5 has released security updates to address BIG-IP vulnerabilities stolen in a breach detected on August 9, 2025. The company disclosed today that state hackers breached its systems and stole source code and information on undisclosed BIG-IP security flaws. F5 added that there's no evidence the threat actors leveraged the undisclosed vulnerabilities in attacks and said it has not yet found evidence that the flaws have been disclosed. Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws Date: 2025-10-14 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, five of which are remote code execution vulnerabilities and three are elevation of privilege vulnerabilities. Qantas says customer data released by cyber criminals Date: 2025-10-13 Author: iTnews Qantas Airways confirmed customer data stolen in a July breach had been published by cybercriminals. Qantas says customer data released by cyber criminals The airline said in July that more than a million customers had sensitive details such as phone numbers, birth dates or home addresses accessed in one of Australia's biggest cyber breaches in years. Another four million customers had just their name and email address taken during the hack, it said at the time. Annual Cyber Threat Report 2024-2025 Date: 2025-10-14 Author: ASD ACSC Australia is an early and substantial adopter of digital technology which drives public services, productivity and innovation. Our increasing dependency on digital and internet-connected technology means Australia remains an attractive target for criminal and state-sponsored cyber actors. In FY2024–25, ASD’s ACSC received over 42,500 calls to the Australian Cyber Security Hotline – a 16% increase from the previous year, over 1,200 cyber security incidents – an 11% increase, more than 1,700 times of potentially malicious cyber activity – an 83% increase from last year – highlighting the ongoing need for vigilance and action to mitigate against persistent threats. Oracle silently fixes zero-day exploit leaked by ShinyHunters Date: 2025-10-14 Author: Bleeping Computer Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.” ESB-2025.7359 – Adobe: Adobe Connect: CVSS (Max): 9.3 Adobe has released a security update for Adobe Connect. This update resolves critical and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass. ESB-2025.7350 – F5 Networks: F5 BIG-IP (all modules): CVSS (Max): 9.8 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148) ESB-2025.7295 – Debian: Linux: CVSS (Max): 9.8 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. ESB-2025.7269 – Linux kernel (Azure): CVSS (Max): 9.8* Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.7222 – Red Hat: kernel: CVSS (Max): 7.8 A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The hacking collective Scattered Lapsus$ Hunters has continued its campaign of cyber extortion this week, targeting major Australian organisations including Telstra and Qantas. The group, which has claimed responsibility for a string of recent Salesforce-based attacks, alleged it had stolen millions of customer records from both companies and threatened to release the data unless “a resolution” was reached. Telstra was listed on the group’s darknet leak site overnight, with hackers claiming to hold 19 million sets of personal data including names, mobile numbers, and addresses. However, Telstra has denied the breach, confirming that the data was scraped from publicly available sources and did not come from its systems. Cyber Daily’s analysis suggests the information instead matches data from Reverse Australia, a public reverse phone lookup service. Meanwhile, Qantas has also reappeared on Scattered Lapsus$ Hunters’ leak site following an earlier breach in June. The group claims to possess over five million records of personally identifiable information, including customer names, contact details, and Frequent Flyer numbers, with a data release deadline set for 10 October. Qantas said its systems remain secure and that the incident stemmed from a third-party contact centre platform. The airline continues to strengthen its cyber defences and support affected customers. Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks Date: 2025-10-06 Author: The Hacker News [AUSCERT has published a MISP event with IOCs. Also see bulletin https://portal.auscert.org.au/bulletins/ASB-2025.0163] Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. ShinyHunters Wage Broad Corporate Extortion Spree Date: 2025-10-07 Author: Krebs on Security A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat. Salesforce refuses to pay a ransom in recent wave of attacks Date: 2025-10-08 Author: SC Media News that Salesforce has refused to negotiate or pay a ransom in the recent wave of cyberattacks experienced by at least 39 of its customers was viewed as a double-edged sword by some security professionals. “Salesforce's public refusal to pay the ransom sets a precedent that discourages future extortion attempts,” MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber. “However, this strategy shifts the risk to their customers, who must now prepare for a potential data leak.” Redis warns of critical flaw impacting thousands of instances Date: 2025-10-06 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.7128] The Redis security team has released a patch for a vulnerability CVE-2025-49844 which could allow threat actors to gain remote code execution on thousands of vulnerable instances. An authenticated threat actor can exploit a 13-year-old use-after-free vulnerability to escape the Lua sandbox to establish a reverse shell for persistent access and achieve remote code execution on the targeted Redis host. SonicWall Concludes Investigation Into Incident Affecting MySonicWall Configuration Backup Files Date: 2025-10-08 Author: Arctic Wolf Recommendations On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. As of October 8, 2025, the investigation has concluded and SonicWall has updated their advisory accordingly. While the original SonicWall advisory stated that under 5% of customers using the MySonicWall configuration file backup feature were affected by the incident, the finalized verbiage now specifies that all customers who have used SonicWall’s cloud backup service were affected. ASB-2025.0163 – Oracle E-Business Suite: CVSS (Max): 9.8 Oracle released an emergency patch to fix CVE-2025-61882, a critical remote-code-execution flaw in its E-Business Suite that has already been exploited by the Cl0p group in data theft campaigns. ESB-2025.7127 – Tenable Security Center: CVSS (Max): 10.0 Tenable fixed a medium-severity access control flaw (CVE-2025-36636) in Security Center ≤ 6.6.0, with the issue resolved in version 6.7.0. ESB-2025.7128 – redis: CVSS (Max): 9.9 Redis has disclosed a maximum-severity use-after-free flaw (CVE-2025-49844) in its Lua scripting engine that enables remote code execution when exploited. ESB-2025.7165 – IBM Db2 Data Management Console: CVSS (Max): 8.3 IBM warned of critical flaws in Db2 Data Management Console 3.1.12, including RCE via SnakeYAML, now added to CISA’s KEV catalog. Upgrading to version 3.1.13+ is strongly advised. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We are excited to release our latest episode of the Share Today, Save Tomorrow podcast, Episode 46: Jess Dodson on Security, Strategy & Sci-Fi. Our General Manager, Ivano Bongiovanni, sits down with Jess Dodson, Cloud Solution Architect at Microsoft, and a long-time friend of AUSCERT. Jess shares her unconventional journey from sysadmin to cyber security leader, exploring the importance of mastering the basics, the role of communication, and challenges for SMBs and government. She also unpacks AI’s impact on data protection, the Essential Eight (with a sci-fi twist), and why cyber security should be seen as business transformation. This episode is sure to educate and entertain, and it’s available now on Spotify, Apple Podcasts, and YouTube! This October is Cyber Awareness Month 2025, with the theme, Building our cyber safe culture, reminding us to make cyber safe practices part of our everyday lives. This month encourages us to not only strengthen our own habits but also help friends and family build their confidence in cyber security. From spotting phishing attempts to using stronger passwords and enabling multi-factor authentication, small steps can go a long way in protecting the people around you. By sharing your knowledge, you can help extend a culture of cyber safety beyond the workplace and into the community. The ASD has developed a wide range of resources to support Cyber Awareness Month, including practical guides, tips, and shareable tools to help you and your loved ones stay secure online. CISA warns of critical Linux Sudo flaw exploited in attacks Date: 2025-09-30 Author: Bleeping Computer [AUSCERT has published bulletins for Sudo security updates] Hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux operating systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, describing it as “an inclusion of functionality from untrusted control sphere.” 50K Cisco firewalls remain vulnerable to advanced attacks Date: 2025-09-30 Author: The Register Nearly 50,000 Cisco ASA/FTD instances vulnerable to two bugs that are actively being exploited by "advanced" attackers remain exposed to the internet, according to Shadowserver data. The internet monitoring outfit said that as of Monday, the internet-facing Cisco firewalls are potentially exploitable, with the vast majority of those – more than 19,000 – located in the US. How to Use a Password Manager to Share Your Logins After You Die Date: 2025-09-29 Author: WIRED It’s not fun to talk about, but there’s only one thing certain in life. You need to have a plan for your digital legacy, just like you make a plan for your physical assets; otherwise, your accounts, services, and logins will rot away in a data center before they’re inevitably erased by a data retention policy. Some services recognize how important digital legacy is. Apple and Facebook have legacy contacts that can gain access to your accounts, and the American Bar Association is still grappling with the legalities of accessing online accounts when someone passes away. Most online services don't. Apple Patches Single Vulnerability CVE-2025-43400 Date: 2025-09-29 Author: SANS ISC [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6939, https://portal.auscert.org.au/bulletins/ESB-2025.6938, https://portal.auscert.org.au/bulletins/ESB-2025.6937, https://portal.auscert.org.au/bulletins/ESB-2025.6936, https://portal.auscert.org.au/bulletins/ESB-2025.6935, https://portal.auscert.org.au/bulletins/ESB-2025.6934] It is typical for Apple to release a ".0.1" update soon after releasing a major new operating system. These updates typically fix various functional issues, but this time, they also fix a security vulnerability. The security vulnerability not only affects the "26" releases of iOS and macOS, but also older versions. Apple released fixes for iOS 18 and 26, as well as for macOS back to Sonoma (14). Apple also released updates for WatchOS and tvOS, but these updates do not address any security issues. For visionOS, updates were only released for visionOS 26. Hackers Actively Scanning to Exploit Palo Alto Networks PAN-OS Global Protect Vulnerability Date: 2025-09-30 Author: Cyber Security News Security researchers are observing a significant increase in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). Exploit attempts have surged as attackers seek to leverage an arbitrary file creation flaw to achieve OS command injection and ultimately full root code execution on vulnerable firewalls. Since late September 2025, honeypots deployed globally have logged thousands of TCP connections probing PAN-OS SSL VPN portals. ESB-2025.7032 – chromium Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. ESB-2025.7020 – Linux kernel (Oracle) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.7007 – Splunk Enterprise Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, and higher. ESB-2025.6759.2 – Cisco IOS and IOS XE Software An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Cisco is warning customers to urgently patch two critical zero-day vulnerabilities affecting the VPN web server of its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software. Both flaws, which the company confirmed have been exploited in the wild, pose serious risks to affected networks. The first, tracked as CVE-2025-20333 with a CVSS score of 9.9, could allow an attacker with valid VPN credentials to execute arbitrary code as root by sending crafted HTTP requests. The second, CVE-2025-20362, with a CVSS score of 6.5, could enable unauthenticated attackers to access restricted endpoints without authentication. Cisco noted that attackers appear to be chaining the vulnerabilities to bypass authentication and run malicious code on vulnerable devices. The company credited international partners including the ACSC, CISA, and the UK’s NCSC, for assisting with the investigation. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 25-03, requiring federal agencies to immediately identify, analyse, and mitigate potential compromises. Both flaws have also been added to CISA’s Known Exploited Vulnerabilities catalogue, with a 24-hour deadline for applying mitigations. CISA warned that the campaign, linked to the advanced threat cluster ArcaneDoor, is ongoing and widespread. Attackers are said to be leveraging these zero-day flaws to gain unauthenticated remote code execution on ASA devices, even manipulating read-only memory to persist through reboots and upgrades. Customers are strongly urged to apply patches without delay to defend against ongoing exploitation. Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet Date: 2025-09-19 Author: Bleeping Computer Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Tracked as CVE-2025-10035, this security flaw is caused by a deserialization of untrusted data weakness and can be exploited remotely in low-complexity attacks that don't require user interaction. While Fortra stated that the vulnerability was discovered over the weekend, it didn't specify who reported it or whether the flaw has been exploited in attacks. Cisco warns of IOS zero-day vulnerability exploited in attacks Date: 2025-09-24 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6759/] Cisco has released security updates to address a high-severity zero-day vulnerability in Cisco IOS and IOS XE Software that is currently being exploited in attacks. Tracked as CVE-2025-20352, the flaw is due to a stack-based buffer overflow weakness found in the Simple Network Management Protocol (SNMP) subsystem of vulnerable IOS and IOS XE software, impacting all devices with SNMP enabled. Authenticated, remote attackers with low privileges can exploit this vulnerability to trigger denial-of-service (DoS) conditions on unpatched devices. High-privileged attackers, on the other hand, can gain complete control of systems running vulnerable Cisco IOS XE software by executing code as the root user. Microsoft Entra ID flaw allowed hijacking any company's tenant Date: 2025-09-21 Author: Bleeping Computer A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world. The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment. SolarWinds releases third patch to fix Web Help Desk RCE bug Date: 2025-09-23 Author: Bleeping Computer [AUSCERT has contacted potentially affected members about this vulnerability where possible] SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials Date: 2025-09-24 Author: The Hacker News Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element. ESB-2025.6802 – Red Hat JBoss Enterprise Application Platform 7: CVSS (Max): 8.8 Redhat has released important patches for Red Hat JBoss EAP 7.1 on RHEL 7 to fix multiple vulnerabilities, and it has been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog. ESB-2025.6809 – Tenable Security Center: CVSS (Max): 8.8 Tenable addresses PostgreSQL vulnerabilities in Security Center 6.5.1 and 6.6.0. The patch update mitigates risks of data exposure, denial of service, and other security weaknesses in the affected versions. ESB-2025.6814 – Cisco Products: CVSS (Max): 9.9 Cisco has confirmed two critical zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) are actively being exploited in its ASA/FTD VPN web server appliances. ESB-2025.6820 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 7.5* GitLab issued patch releases 18.4.1, 18.3.3, and 18.2.7, bringing a number of security and bug fixes and urging all self-managed installations to upgrade immediately Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, we have released an exciting new episode of the Share Today, Save Tomorrow podcast, Episode 45: Phishing, Passion & Progress: A Conversation with Shane Lim. Our host Bek Cheb sits down with Shane, one of our valued analysts at AUSCERT, for a deep dive into his journey from IT generalist to cyber security specialist. This episode also features an insider look at one of AUSCERT’s most vital member services, Phishing Takedowns. Shane breaks down how the process works, why phishing remains a persistent threat, and the technical and human challenges involved in taking malicious sites offline. This is an episode you won’t want to miss, and it’s available on Spotify, Apple Podcasts, and Soundcloud now. SonicWall has warned customers to reset credentials following a breach that exposed firewall configuration backup files linked to MySonicWall accounts. Attackers exploited the company’s cloud backup API service using brute-force methods, affecting fewer than 5% of its firewall install base. While the files contained encrypted passwords, SonicWall cautioned that they also held details that could make it easier for attackers to exploit impacted devices. The company has since blocked attacker access, launched an investigation with law enforcement and cyber security partners, and published guidance for administrators. Recommendations include restricting WAN access, resetting all credentials, and updating keys and tokens across related services. SonicWall emphasised this was not a ransomware event but a series of targeted brute-force attacks, adding there is no evidence that the files have been leaked online. Apple backports zero-day patches to older iPhones and iPads Date: 2025-09-16 Author: Bleeping Computer [See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2025.6540]​ Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats. From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques Date: 2025-09-17 Author: Bleeping Computer During the past fifteen business days, Huntress analysts have observed increased threat activity involving several notable techniques. One case involved a malicious AnyDesk installer, which initially mimicked a standard ClickFix attack through a fake Cloudflare verification page but then utilized Windows File Explorer and an MSI package masked as a PDF to deploy MetaStealer malware. FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data Date: 2025-09-14 Author: Bleeping Computer The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims. "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions," reads the FBI's FLASH advisory. Threat Actors Leverage Several RMM Tools in Phishing Attack to Maintain Remote Access Date: 2025-09-15 Author: Cyber Security News Cybercriminals are increasingly exploiting legitimate remote monitoring and management (RMM) tools to establish persistent access to compromised systems through sophisticated phishing campaigns. Joint research conducted by Red Canary Intelligence and Zscaler threat hunters has identified multiple malicious campaigns utilizing ITarian (also known as Comodo), PDQ, SimpleHelp, and Atera RMM solutions as attack vectors. HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks Date: 2025-09-15 Author: The Hacker News Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware. "The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said. "By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware." ESB-2025.6633 – Linux kernel: CVSS (Max): 9.1* Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.6569 – pcp: CVSS (Max): 8.8 This update for pcp fixes the following issues, exposure of the redis server backend allows remote command execution via pmproxy. ESB-2025.6567 – Mozilla Firefox: CVSS (Max): 8.8* Memory safety bugs are present. Some of these bugs showed evidence of memory corruption and it's presumed that with enough effort some of these could have been exploited to run arbitrary code. ESB-2025.6636 – Google Chrome: CVSS (Max): None Google released security updates for the Chrome web browser, to addresses four vulnerabilities, including one that it said has been exploited in the wild. The vulnerability has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. ESB-2025.6555 – Delta Electronics DIALink: CVSS (Max): 10.0 Delta Electronics DIALink has an Improper Limitation of a Pathname to a Restricted Directory vulnerability which could allow an attacker to bypass authentication. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, a major phishing campaign has led to a large supply chain compromise, targeting the npm (node package manager) ecosystem. Npm is a critical registry hosting over two million reusable code packages used worldwide by developers. The incident began when attackers registered a lookalike domain, npmjs.help, and sent out emails designed to mimic official npm security communications. These emails urged developers to update their two-factor authentication (2FA) credentials. At least one prominent developer fell victim to the phishing attempt, allowing attackers to take control of his account. With access secured, the attackers injected malicious code into at least 18 widely used npm packages, collectively downloaded 2.7 billion times per week. According to security vendor Aikido, the injected code was designed to run on client websites, silently intercepting cryptocurrency and web3 activity. The code manipulated wallet interactions and rewrote payment destinations so that funds and approvals were redirected to attacker-controlled accounts. The attack was particularly insidious because it operated without obvious signs, making detection difficult for end users. The compromise has since been identified and cleanup efforts are underway, though researchers warn that additional developers are being targeted by the same unknown threat actor. The scale of the incident has raised significant concerns across the development community, given how widely npm packages are integrated into both small projects and large-scale enterprise systems. Critical SAP S/4HANA vulnerability now exploited in attacks Date: 2025-09-05 Author: Bleeping Computer A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn. The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP. Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts Date: 2025-09-10 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6320/] Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of any exploits in the wild. More npm packages poisoned, but would-be thieves get little Date: 2025-09-09 Author: The Register During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders. Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited Date: 2025-09-09 Author: CyberScoop [AUSCERT has published security bulletins for these Microsoft updates] The most severe defect disclosed this month — CVE-2025-55232 — is a deserialization of untrusted data vulnerability affecting Microsoft High Performance Compute Pack with a CVSS rating of 9.8. Microsoft said exploitation is less likely, but researchers warned organizations to prioritize patching. Fortinet, Ivanti, Nvidia Release Security Updates Date: 2025-09-10 Author: Security Week [AUSCERT has published security bulletins for these Fortinet updates] Fortinet, Ivanti, and Nvidia on Tuesday announced security updates that address over a dozen high- and medium-severity vulnerabilities across their product portfolios. Ivanti resolved two high-severity insufficient filename validation issues in Endpoint Manager (EPM) that could be exploited remotely, without authentication, to execute arbitrary code. The exploitation of both defects, however, require user interaction. ASB-2025.0158 – Microsoft Azure: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of September 2025, which resolves 3 important vulnerabilities with Azure Connected Machine Agent and HPC Pack 2019. Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog. ESB-2025.6253 – IBM MQ container software: CVSS (Max): 9.8 Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images, such as memory corruption issues, crashes and denial of service. IBM strongly recommends applying the latest container images. ESB-2025.6435 – kernel: CVSS (Max): 7.8 An update for kernel is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, resolving various security issues and exploited vulnerability as identified on the CISA KEV list. ESB-2025.6441 – Daikin Security Gateway: CVSS (Max): 9.8 A weak password recovery mechanism for forgotten passwords has been identified in this product. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the system. Daikin has reported they will not fix this vulnerability and will respond directly to user inquiries. ESB-2025.6437 – imagemagick: CVSS (Max): 9.8 Multiple memory corruption vulnerbilities were discovered in imagemagick, a software suit used for editing and manipulating digital images, which could lead to information leak, denial of service, and potentially arbitrary code execution. It is recommended that you upgrade your imagemagick packages. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We’re excited to release a brand-new episode of the Share Today, Save Tomorrow podcast, Episode 44: Security2Cure – Where Cyber Meets Health Planning. In this powerful episode, host Bek Cheb speaks with Zane Jarvis, founder of the charity Security2Cure, an initiative born from personal tragedy and driven by a mission to raise awareness around cancer, health planning, and digital preparedness. Zane shares his deeply personal story and explains how core cyber security principles have inspired a unique framework for personal wellbeing and future planning. With Security2Cure’s upcoming Brisbane conference on the 10th October, this episode offers the perfect opportunity to explore the charity’s mission and learn more about their work. This is an episode you won’t want to miss, and it’s available on Spotify, Apple Podcasts, and YouTube now. This week, a widespread supply chain attack linked to Salesloft Drift has impacted hundreds of organisations, including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud. While Salesloft initially claimed exposure was limited to Salesforce-integrated customers, Google’s Threat Intelligence Group and Mandiant have warned that any platform integrated with Drift may be compromised. The attack, attributed to threat group UNC6395, led to the exposure of sensitive customer data such as business emails, phone numbers, support case details, and, in some cases, credentials. While no core products or infrastructure were directly breached, many companies are rotating tokens, tightening security, and investigating potential impacts. Salesloft announced that Drift will be taken offline to strengthen security and conduct a full review. The incident highlights the growing risks of third-party integrations, with more than 700 organizations potentially affected. Google warns Salesloft breach impacted some Workspace accounts Date: 2025-08-28 Author: Bleeping Computer Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances. "Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,' warns Google. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised." NIST Enhances Security Controls for Improved Patching Date: 2025-09-02 Author: Dark Reading Addressing the ongoing patch management problem requires more finessing, especially to protect the software supply chain. The US National Institute of Standards and Technology (NIST) revised its Security and Privacy Control catalog to help vendors and organizations improve software update and patch release protocols. Originally published in 2020, the Security and Privacy Control catalog details security and privacy safeguards to help organizations mitigate cyber-risks. Federal information systems are required to implement the controls, but the catalog is intended for the private and public sectors. It covers access, authentication, incident response, and supply chain risk management. WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices Date: 2025-08-30 Author: The Hacker News WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 8.0 [CISA-ADP]/5.4 [Facebook]), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug. The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device." Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication Date: 2025-08-29 Author: The Hacker News Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts. The campaign used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow," Amazon's Chief Information Security Officer CJ Moses said. Melbourne dev finds gift card PINs can be brute-forced Date: 2025-09-03 Author: itnews Gift cards sold in Australian supermarkets can have their PINs easily guessed, thanks to a vulnerability on the issuer's website, opening them up to redemption by thieves who only need to know the card number to access the stored funds. The vulnerability was discovered by Melbourne developer Simon Dean who bought two gift cards worth $500 each, which he intended to use to purchase a laptop at JB Hi-Fi with. After buying the cards, Dean ran into trouble redeeming them as the cards had had the last four digits scratched off them. ESB-2025.6241 – Ruby It was discovered that Ruby incorrectly handled certain IO stream methods. A remote attacker could use this issue to cause Ruby to crash, resulting in a denial of service, or possibly obtain sensitive information. ASB-2025.0156.2 – Salesloft Drift Several major firms, including ZScaler, Cloudflare, and Palo Alto Networks, confirmed breaches of their Salesforce databases. The incidents stem from a data theft campaign exploiting the third-party Salesloft Drift integration with Salesforce. ESB-2025.6176 – Google Android The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. ESB-2025.6205 – Cisco Products A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The team are already hard at work planning another amazing AUSCERT conference, and we’re excited to share these key dates with you! AUSCERT2026 will run from 19–22 May at The Star, Gold Coast. Tutorials will take place on 19 and 20 May, followed by the main conference on 21 and 22 May. Don’t miss the Welcome Reception at 5:00 PM on 20 May, or the Gala Dinner on 21 May. Stay tuned for more details, including the Call for Tutorials in October and the Call for Presentations in November. We can’t wait to see you there! This week marked Scams Awareness Week, a nationwide campaign aimed at helping Australians stay safe online. This year’s theme, “Stop. Check. Protect.” encourages us all to pause before clicking, verify information, and take proactive steps to safeguard our personal and financial details. The Scamwatch “Scam Statistics” page is a standout resource, providing an interactive dashboard that allows you to explore real-time data on scam reports. Every report feeds into a national intelligence network that contributes to early detection and disruption efforts. You can see which scams are growing, which methods are being used most effectively, and where education and awareness are making an impact. Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 Date: 2025-08-25 Author: The Hacker News Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775 Date: 2025-08-27 Author: Security Affairs [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5974] Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. CVE-2025-7775 (CVSS score: 9.2) is a memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service. This week, Citrix addressed three security flaws (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) in NetScaler ADC and NetScaler Gateway, including one (CVE-2025-7775) that it said has been actively exploited in the wild. CISA warns of actively exploited Git code execution flaw Date: 2025-08-26 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5077] The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system. The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th. Git version control system allows software development teams to track codebase changes over time. The library is the backbone of modern software collaboration, serving as the basis for platforms such as GitHub, GitLab, and Bitbucket. High-severity vulnerability in Passwordstate credential manager. Patch now. Date: 2025-08-29 Author: Ars Technica The maker of Passwordstate, an enterprise-grade password manager for storing companies’ most privileged credentials, is urging them to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. The authentication bypass allows hackers to create a URL that accesses an emergency access page for Passwordstate. From there, an attacker could pivot to the administrative section of the password manager. A CVE identifier isn’t yet available. A hacker used AI to automate an 'unprecedented' cybercrime spree, Anthropic says Date: 2025-08-27 Author: NBC News A hacker has exploited a leading artificial intelligence chatbot to conduct the most comprehensive and lucrative AI cybercriminal operation known to date, using it to do everything from find targets to write ransom notes. In a report published Tuesday, Anthropic, the company behind the popular Claude chatbot, said that an unnamed hacker “used AI to what we believe is an unprecedented degree” to research, hack and extort at least 17 companies. ESB-2025.5938 – Atlassian Products: CVSS (Max): 9.4 Atlassian monthly bulletin addresses 14 high-severity and 1 critical-severity vulnerabilities. Users are advised to upgrade their Server/Data Center instances to the latest versions. ESB-2025.5966 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM has addressed vulnerable open-source components such as Linux kernel and Python libraries in QRadar SIEM which may be exploitable via automated scanning tools. ESB-2025.5974 – Citrix Products: CVSS (Max): 9.2 Citrix has released urgent patches addressing three serious vulnerabilities in NetScaler ADC and NetScaler Gateway—including a critical zero-day memory-overflow flaw actively exploited in the wild, and additional memory-overflow & management-interface access control issues. ESB-2025.6029 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 6.5 GitLab delivered patch releases 18.3.1, 18.2.5, and 18.1.5 for both CE and EE, addressing multiple security and bug fixes, and strongly urges all self-managed users to upgrade immediately. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We are excited to announce the release of a new episode of Share Today, Save Tomorrow – Episode 43: Behind the Code: Josh Hopkins on Building, Leading, and Leveling Up AUSCERT. In this episode, host Bek Cheb sits down with Josh, our Team Leader of Development, for an open and insightful chat about life behind the screens in cyber defence. From his unexpected journey into cyber security to leading a dynamic development team, Josh reflects on the twists and turns of his career, describes the sometimes-unpredictable nature of a typical working day, and how experimentation, collaboration, and a passion for building innovation within the team makes working at AUSCERT so unique. This episode is available on Spotify and Apple Podcasts. This week, iiNet, owned by TPG Telecom, has confirmed that an unknown third party gained unauthorised access to iiNet’s order management system on Saturday, August 16, 2025. The breach led to the extraction of approximately 280,000 email addresses, along with 10,000 usernames, phone numbers, and nearly 1,700 modem setup passwords, though no financial or identity documents were compromised. TPG responded swiftly by isolating the breach, engaging external cyber security experts, and initiating its incident response plan immediately upon discovery. Customers are being contacted directly and urged to remain vigilant against phishing attempts. Apple fixes new zero-day flaw exploited in targeted attacks Date: 2025-08-20 Author: Bleeping Computer [AUSCERT has published security bulletins for these Apple updates] Apple has released emergency updates to patch another zero-day vulnerability that was exploited in an "extremely sophisticated attack." Tracked as CVE-2025-43300, this security flaw is caused by an out-of-bounds write weakness discovered by Apple security researchers in the Image I/O framework, which enables applications to read and write most image file formats. Cisco Patches Critical Vulnerability in Firewall Management Platform Date: 2025-08-15 Author: Security Week [AUSCERT has published security bulletins for these Cisco updates] Cisco has published more than 20 security advisories as part of its August 2025 bundled publication for Secure Firewall Management Center (FMC), Secure Firewall Threat Defense (FTD), and Secure Firewall Adaptive Security Appliance (ASA) products. The most serious vulnerability — based on its severity rating — is CVE-2025-20265, a critical flaw affecting the Secure FMC platform designed for managing and monitoring Cisco FTD appliances and other security solutions. TPG Telecom reveals iiNet order management system breached Date: 2025-08-19 Author: iTnews TPG Telecom has revealed that iiNet’s order management system was breached by an unknown attacker who abused legitimate credentials to gain access. The telco said that it “appears” that a list of email addresses and phone numbers was extracted from the system. The order management system is used to create and track orders for iiNet services. Microsoft: Recent Windows updates may fail to install via WUSA Date: 2025-08-18 Author: Bleeping Computer Microsoft has mitigated a known issue that caused Windows update failures when installing them from a network share using the Windows Update Standalone Installer (WUSA). WUSA is a built-in command-line tool that helps IT admins install and uninstall Microsoft Standalone Update (.msu) files through the Windows Update Agent API to deploy and remove patches, hotfixes, and updates. This known issue affects Windows 11 24H2 and Windows Server 2025 systems on enterprise networks, as WUSA isn't a common method for installing Windows updates on home devices. HR giant Workday discloses data breach after Salesforce attack Date: 2025-08-18 Author: Bleeping Computer Human resources giant Workday has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack. As the company revealed in a Friday blog, the attackers gained access to some of the information stored on the compromised CRM systems, adding that no customer tenants were impacted. ESB-2025.5731 – Cisco Secure Firewall Management Center Software: CVSS (Max): 10.0 A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. Cisco has released software updates that address this vulnerability. ESB-2025.5888 – firefox-esr: CVSS (Max): 9.8 Multiple security issues have been found and patched in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. ESB-2025.5881 – Linux kernel (IoT): CVSS (Max): 9.8* Several security issues were discovered and patched in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.5710 – IBM Security QRadar SIEM: CVSS (Max): 9.4 Vulnerable components in IBM Security QRadar SIEM (e.g., framework libraries) have been identified that may be exploited with automated tools. IBM QRadar Data Synchronization app for IBM QRadar SIEM has addressed the applicable CVEs. ESB-2025.5788 – Apache HTTP Server: CVSS (Max): 9.1 Several security issues were fixed in Apache HTTP Server that potentially allowed remote attackers to perform HTTP response splitting attacks, send outbound proxy requests to an arbitrary url, insert escape characters into log files, bypass access control, denial of service, or perform configuration changes in certain environments. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Over the weekend of August 10–11, the University of Western Australia (UWA) was forced to lock thousands of staff and students out of its systems after detecting unauthorised access to password information. The breach prompted an immediate and large-scale security response, with all users required to reset their credentials before regaining access. The university’s critical incident management team worked through the weekend to contain the threat and has confirmed there is currently no evidence that any data beyond password details was compromised. UWA notified authorities immediately, and a full investigation is underway alongside a review of existing security measures to strengthen defences. UWA has issued an apology to those affected, stressing its commitment to swift action and transparency. This incident comes amid heightened scrutiny of data protection in Australia, following recent legal proceedings against Optus over its 2022 breach. Whilst this incident did not involve personal or sensitive information, it highlights the growing urgency for educational institutions to protect such data against evolving cyber threats. Zoom and Xerox Release Critical Security Updates Fixing Privilege Escalation and RCE Flaws Date: 2025-08-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5516/] Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution. The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation. Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code Date: 2025-08-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5593.2/] Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild. The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0. “An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,” the company said in a Tuesday advisory. Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws Date: 2025-08-12 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] The monthly Microsoft Patch Tuesday for August contains 107 flaws, including 13 critical vulnerabilities and one publicly disclosed zero-day vulnerability in Window Kerberos. Of the 13 critical vulnerabilities, 9 are remote code execution (RCE) vulnerabilities, 3 are information disclosure, and 1 is elevation of privileges. The zero-day is a flaw in Microsoft SQL Server. Trend Micro reports two critical CVEs under active exploit Date: 2025-08-10 Author: The Register A critical vulnerability in the on-prem version of Trend Micro’s Apex One endpoint security platform is under active exploitation, the company admitted last week, and there’s no patch available. Trend Micro last week warned Apex One 2019 customers about CVE-2025-54948 and CVE-2025-54987, both with a CVSS score of 9.4 and both present in the platform’s web-based managed console. Australian Regulator Sues Optus Over 2022 Data Breach Date: 2025-08-08 Author: Infosecurity Magazine The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians. The lawsuit alleges that telecommunications firm Optus failed to take reasonable steps to protect victims’ personal information from unauthorized access and disclosure, in breach of Australia’s Privacy Act 1988. ESB-2025.5593.2 – Fortinet FortiSIEM An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests. ESB-2025.5622 – Cortex XDR Broker VM A credential management flaw in Palo Alto Networks Cortex XDR Broker VM causes different Broker VM images to share identical default credentials for internal services. ASB-2025.0155 – Microsoft Windows Microsoft has released its monthly security patch update for the month of August 2025. This update resolves 67 vulnerabilities. ESB-2025.5516 – Zoom Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, New insights suggests that the recent Qantas data breach impacting an estimated 5.7 million customers may be the work of the notorious ShinyHunters hacking collective, rather than Scattered Spider, as was initially suspected. Investigators are now drawing connections between ShinyHunters and a growing wave of cyber attacks targeting Salesforce CRM platforms. Recent victims of similar attacks include Allianz Life, LVMH, Adidas, Google and now, potentially, Qantas. Reports suggest that the threat actors employed vishing techniques (voice phishing) in conjunction with modified versions of Salesforce’s Data Loader tool to extract sensitive customer records. This method demonstrates the group’s ability to combine social engineering with technical exploitation to bypass conventional security measures. Recent reports also reveal that Google suffered a breach in this same wave of attacks, with ShinyHunters allegedly using identical techniques to access Salesforce data linked to customer support operations. This reinforces the theory that the group is systematically exploiting CRM platforms and supply chain connections across multiple sectors. The Qantas breach highlights the evolving nature of cyber criminal alliances and the growing risks associated with cloud-based platforms, particularly when combined with sophisticated social engineering campaigns. Organisations using Salesforce and similar CRM systems are being urged to review access controls, monitor for anomalous activity, and strengthen employee awareness programs to reduce the risk of compromise. Organizations Warned of Vulnerability in Microsoft Exchange Hybrid Deployment Date: 2025-08-07 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0144/] Microsoft on Wednesday informed organizations about a high-severity vulnerability affecting hybrid deployments of Exchange Server. According to Microsoft, the vulnerability, tracked as CVE-2025-53786, can be exploited by an attacker to escalate privileges. “In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft explained. Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons Date: 2025-08-04 Author: The Register Mozilla is warning of an ongoing phishing campaign targeting developers of Firefox add-ons. The browser maker urged devs to "exercise extreme caution and scrutiny" when reviewing seemingly legitimate emails from senders pretending to be Mozilla or AMO (addons.mozilla.org). Although phishing emails can take many forms, Moz said this campaign usually lures devs into clicking through a malicious link to update their account. Failure to do so, or so the crims claim, would result in the dev losing access to developer features. Cisco discloses data breach impacting Cisco.com user accounts Date: 2025-08-05 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0143/] Cisco has disclosed that cybercriminals stole the basic profile information of users registered on Cisco.com following a voice phishing (vishing) attack that targeted a company representative. After becoming aware of the incident on July 24th, the networking equipment giant discovered that the attacker tricked an employee and gained access to a third-party cloud-based Customer Relationship Management (CRM) system used by Cisco. Perplexity vexed by Cloudflare's claims its bots are bad Date: 2025-08-05 Author: The Register AI search biz Perplexity claims that Cloudflare has mischaracterized its site crawlers as malicious bots and that the content delivery network made technical errors in its analysis of Perplexity's operations. Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security Date: 2025-08-06 Author: Hack Read GuidePoint Security uncovers a new Akira ransomware tactic targeting SonicWall VPNs. The group’s use of drivers to disable defenses is a significant threat to businesses. A new report by cybersecurity firm GuidePoint Security reveals a clever new method used by the Akira ransomware group to attack computer networks. Researchers found that following initial access into systems, the hackers have been using two specific software drivers to secretly disable security tools, a key step before deploying their ransomware. ESB-2025.5345 – Google Android: CVSS (Max): 8.6* Google patches critical remote code execution vulnerability in the System component in Android 10, which can be exploited without user interaction or extra privileges. ESB-2025.5401 – Adobe Experience Manager (AEM) Forms on JEE: CVSS (Max): 10.0 Adobe released a critical security update for Adobe Experience Manager (AEM) Forms on JEE (versions 6.5.23.0 and earlier) to address two severe vulnerabilities: an XXE flaw allowing arbitrary file system reads, and a misconfiguration‑based flaw enabling arbitrary code execution. ASB-2025.0143 – Salesforce: CVSS (Max): None Threat actors are impersonating Salesforce IT support via vishing and phishing to trick users into installing malicious connected apps, enabling data exfiltration. Impacted organizations face delayed extortion attempts and potential lateral movement to cloud services like Microsoft 365 and Okta. ASB-2025.0144 – Microsoft Exchange Server: CVSS (Max): 8.0 Microsoft has issued a warning about a high-severity vulnerability (CVE‑2025‑53786) affecting hybrid Exchange deployments, where on-premises servers share a service principal with Exchange Online. Stay safe, stay patched and have a good weekend! The AUSCERT team