7 Nov 2025
Week in review
Greetings,
Time is running out to submit a tutorial proposal for AUSCERT2026! Submissions close Monday November 10, so be sure to get in now before it’s too late. If you have practical experience or a unique perspective on cyber security practices, this is your chance to lead an in-depth session and share your insights with peers from across the industry.
We encourage submissions from professionals of all backgrounds and experience levels, whether you're a seasoned trainer or a first-time presenter. All successful applicants will receive complimentary conference registration, plus costs covered for flights and accommodation.
In a recent update, SonicWall has confirmed that the September security breach involving unauthorised access to firewall configuration backup files was the work of a state-sponsored threat actor. The company enlisted cyber security firm Mandiant, to investigate the incident, which has now concluded with findings that the breach was limited to a specific cloud environment accessed via an API call. Mandiant determined that SonicWall’s core products, firmware, systems, tools, source code, and customer networks remained unaffected.
The breach, first disclosed on September 17, exposed sensitive data stored in certain MySonicWall accounts. These configuration files contained credentials and tokens that could potentially simplify exploitation of customer firewalls. In response, SonicWall urged affected users to reset various credentials linked to their accounts and network configurations.
By October 9, SonicWall clarified that all customers utilising its cloud backup service were impacted, though the breach was contained and did not compromise the integrity of its broader infrastructure. The company also emphasised that this incident was unrelated to separate attacks by the Akira ransomware gang, which targeted MFA-protected VPN accounts later that month.
Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover
Date: 2025-11-04
Author: GBHackers
A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web.
The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites.
Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks
Date: 2025-11-05
Author: Security Week
Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package.
React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms.
The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week.
Australia warns of BadCandy infections on unpatched Cisco devices
Date: 2025-10-31
Author: Bleeping Computer
The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell.
The vulnerability exploited in these attacks is CVE-2023-20198, a max-severity flaw that allows remote unauthenticated threat actors to create a local admin user via the web user interface and take over the devices.
Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch
Date: 2025-11-01
Author: Hackread
A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrace.
This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets.
Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058)
Date: 2025-11-04
Author: Zscaler
Zscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. Through responsible disclosure and ongoing research, Zscaler helps enterprises stay protected from emerging AI threats with a Zero Trust approach.
ESB-2025.7991/ – Apple iOS and iPadOS 18.7.2: CVSS (Max): 8.8
Apple has released iOS 18.7.2 and iPadOS 18.7.2 to address multiple security vulnerabilities—including several high-severity issues (up to CVSS 8.8)—that could allow data exposure, privilege escalation, or remote code execution.
ESB-2025.7983 – Cisco Unified Contact Center Express: CVSS (Max): 9.8
Cisco has released critical patches for Unified Contact Center Express to fix two remote code execution and authentication bypass vulnerabilities (CVE-2025-20354, CVE-2025-20358) that could allow unauthenticated attackers to gain root privileges or execute arbitrary scripts remotely.
ESB-2025.7947 – Radiometrics VizAir: CVSS (Max): 10.0
CISA has issued an advisory for multiple critical (CVSS 10.0) vulnerabilities in Radiometrics VizAir that allow unauthenticated remote attackers to alter weather and runway data, potentially disrupting airport operations and flight safety.
ESB-2025.7914 – Tenable Identity Exposure: CVSS (Max): 9.9
Tenable has released Identity Exposure version 3.77.14 to address multiple high and critical vulnerabilities (up to CVSS 9.9) in third-party components including .NET, SQL Server, and curl.
ESB-2025.7911/ – Google Android: CVSS (Max): 9.8*
Google has released the November 2025 Android Security Bulletin addressing critical vulnerabilities, including a remote code execution flaw in the System component (CVSS 9.8), which could be exploited without user interaction.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
