21 Nov 2025
Week in review
Greetings,
AUSCERT recently received Shadowserver’s latest Special Report containing intelligence from Operation Endgame, the international law enforcement effort announced on 13 November 2025. The dataset reveals historical infections linked to the Rhadamanthys information-stealing malware, covering activity between March and November 2025. Unlike Shadowserver’s routine daily feeds, these Special Reports provide rare, high-value insights drawn from long-term forensic investigations, helping organisations understand compromises that may have otherwise gone unnoticed.
Rhadamanthys is a credential-harvesting malware known for targeting browser data, system details, and sensitive login information. Shadowserver classified every entry in this dataset as CRITICAL due to the potential severity of exposure. While exact timestamps weren’t available, the dataset includes “first seen” and “last seen” indicators to show likely periods of infection.
Upon receiving the report, AUSCERT Analysts immediately processed the data through internal systems to identify any potentially affected members. Each affected organisation was contacted directly with tailored details to support rapid awareness and remediation. Several members have since expressed appreciation for the proactive outreach, reinforcing the importance of timely, actionable threat intelligence in responding to long-running malware activity.
IBM AIX Vulnerability Lets Remote Attackers Execute Arbitrary Commands
Date: 2025-11-17
Author: Cyber Press
IBM has released urgent security patches addressing four severe vulnerabilities in AIX and VIOS systems that enable remote attackers to execute arbitrary commands, intercept credentials, and compromise system integrity.
The vulnerabilities span multiple AIX versions and demand immediate remediation from affected organizations.
PoC Exploit Tool Released for FortiWeb WAF Vulnerability Exploited in the Wild
Date: 2025-11-15
Author: Cyber Security News
[AUSCERT has published security bulletins for FortiWeb updates – https://portal.auscert.org.au/bulletins/ESB-2025.8364]
A proof-of-concept (PoC) exploit tool for CVE-2025-64446 has been publicly released on GitHub. This vulnerability, affecting FortiWeb devices from Fortinet, involves a critical path traversal flaw that has already been observed in real-world attacks, allowing unauthorized access to sensitive CGI endpoints.
Security researchers warn that the tool’s availability could accelerate exploitation attempts against unpatched systems worldwide.
Fortinet warns of new FortiWeb zero-day exploited in attacks
Date: 2025-11-18
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.8401/]
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034, this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team.
W3 Total Cache WordPress plugin vulnerable to PHP command injection
Date: 2025-11-19
Author: Bleeping Computer
A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection.
GlobalProtect VPN portals probed with 2.3 million scan sessions
Date: 2025-11-20
Author: Bleeping Computer
Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.
Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin.
ESB-2025.8360 – Red Hat: lasso: CVSS (Max): 9.8
Red Hat Product Security has rated this update as having a security impact of Critical. The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages.
ESB-2025.8364 – Fortinet FortiWeb: CVSS (Max): 9.8
A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
ESB-2025.8412 – Linux Kernel (Live Patch 61 for SUSE Linux Enterprise 12 SP5): CVSS (Max): 8.8
Security update for the Linux Kernel (Live Patch 61 for SUSE Linux Enterprise 12 SP5) that solves 58 vulnerabilities and has eight security fixes.
ESB-2025.8446 – Atlassian Products: CVSS (Max): 10.0
The vulnerabilities reported in this Security Bulletin include 34 high-severity vulnerabilities and 5 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month.
ESB-2025.8463 – Linux kernel (Oracle): CVSS (Max): 9.1
The Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS. ( CVE-2025-40300 )
Stay safe, stay patched and have a good weekend!
The AUSCERT team
