14 Nov 2025
Week in review
Greetings,
This week, we released an exciting episode of the Share Today, Save Tomorrow podcast! Episode 49 – AUSCERT2026: Game On and Win!
As we prepare to mark the 25th anniversary of the AUSCERT Cyber Security Conference in 2026, we’re counting down with a special giveaway. Hidden within this episode is a codeword, which you can enter using the form linked in the episode description. Entering the correct codeword will put you in the running to win a free registration to AUSCERT2026!
This episode is available now on Spotify, Apple Podcasts, and Soundcloud.
Researchers at Palo Alto Networks’ Unit 42 uncovered a sophisticated commercial-grade spyware campaign targeting users of Samsung Galaxy smartphones across 2024 and into early 2025. The malware, named “LANDFALL”, exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s image-processing library, allowing attackers to execute code via malicious DNG (Digital Negative) image files delivered through WhatsApp.
Active for at least seven months, the campaign specifically targeted devices including the Galaxy S24, Z Fold 4 and Z Flip 4. Once infected, LANDFALL enabled extensive surveillance by harvesting audio, phone calls, SMS messages, camera photos and real-time location data. The infrastructure points to a commercial surveillance-tool vendor working with government clients, rather than a traditional cyber-crime gang.
The discovery signals a growing trend of “zero-click” or minimal-interaction attacks that leverage vulnerabilities in image parsing libraries. Organisations and individuals should remain vigilant by applying patches promptly, restrict app permissions where possible and monitor for unusual device behaviour.
Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws
Date: 2025-11-11
Author: Bleeping Computer
[AUSCERT has published security bulletins for these Microsoft updates]
Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.
This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw.
Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks
Date: 2025-11-12
Author: Bleeping Computer
[See AUSCERT Bulletins:
https://portal.auscert.org.au/bulletins/ESB-2025.4160.4/
https://portal.auscert.org.au/bulletins/ESB-2025.4041.2/]
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
Critical Triofox Vulnerability Exploited in the Wild
Date: 2025-11-11
Author: Security Week
[AUSCERT has shared IoCs related to CVE-2025-12480 via its MISP instance]
A threat actor has exploited a critical vulnerability in Triofox to obtain remote access to a vulnerable server and then achieve code execution, Google warns.
Designed to ease remote work and data management, Gladinet’s Triofox is a secure file sharing and remote access solution that can be integrated with existing IT infrastructure.
Critical Cisco Firewall Flaws Exploited for Denial-of-Service Attacks
Date: 2025-11-09
Author: Cyberwarzone
[See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.6814.2/ & https://portal.auscert.org.au/bulletins/ESB-2025.6813.2/]
Cisco firewalls, widely deployed across enterprises for their security infrastructure, are now facing a new wave of attacks exploiting previously identified critical vulnerabilities to launch denial-of-service (DoS) campaigns. This development intensifies concerns surrounding two security flaws for which Cisco released patches in late September.
Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data
Date: 2025-11-11
Author: Hackread
Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient.
Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.”
ESB-2025.8191 – Intel CIP Software: CVSS (Max): 8.8
Intel has addressed high-severity flaws in its Computing Improvement Program (CIP) software that could allow privilege escalation or information disclosure.
ESB-2025.8224 – Zoom: CVSS (Max): 8.1
A high-severity CVE-2025-62484 vulnerability in Zoom Workplace clients allowed an unauthenticated network attacker to escalate privileges.
Zoom recommends updating to version 6.5.10 or later on iOS/Android.
ESB-2025.8281 – runc: CVSS (Max): 7.8
Dangerous flaws in runC could let attackers escape Docker containers and gain root access on the host. Fixes are available in updated runC versions.
ASB-2025.0213 – Microsoft Windows: CVSS (Max): 9.8
Microsoft patched CVE-2025-62215, a Windows Kernel race-condition flaw that allowed authorized attackers to locally elevate privileges to SYSTEM. The zero-day was actively exploited.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
