In the ever-evolving landscape of cybersecurity, the distinction between routine updates and significant security incidents is rapidly diminishing. Systems once perceived as stable are now under constant pressure from dynamic changes, fueled by new AI tools, an increasing number of connected devices, and automated systems that create new entry points faster than security teams can react. This week’s cybersecurity news highlights how easily minor oversights or persistent hidden services can escalate into full-blown breaches. Attackers are adept at leveraging automation against the very systems designed to protect organizations, often reusing existing infrastructure rather than developing entirely new methods. Their speed and stealth are outpacing the patching and response capabilities of many organizations, with attacks increasingly focusing on maintaining control and remaining undetected.
For entities safeguarding any connected assets, from developer tools and cloud infrastructure to internal networks, understanding emerging attack vectors is crucial. This recap offers insight into the current direction of cyber threats, moving beyond historical patterns to address sophisticated, ongoing campaigns. The cybersecurity challenges presented this week underscore the need for a proactive and adaptive defense strategy.
Fortinet FortiSIEM Critical Flaw Under Active Exploitation
A critical security vulnerability within Fortinet’s FortiSIEM platform, identified as CVE-2025-64155, is currently being actively exploited in the wild. This flaw, carrying a CVSS score of 9.4, allows unauthenticated attackers to execute arbitrary code or commands by sending specially crafted TCP requests. According to a technical analysis by Horizon3.ai, the vulnerability is twofold: an argument injection flaw enables arbitrary file writes to achieve remote code execution as an administrator, and a file overwrite vulnerability leads to root access, granting complete control over the affected appliance.
The vulnerability resides within the phMonitor service, an internal FortiSIEM component operating with elevated privileges and integral to the system’s health and monitoring functions. Successful exploitation provides attackers with full administrative control of the appliance, making it a high-priority target for patching. Organizations utilizing Fortinet FortiSIEM should prioritize addressing this critical vulnerability immediately to prevent unauthorized access and potential system compromise.
In other significant developments, the cybersecurity world saw a range of other notable incidents and advisories:
Linux Malware VoidLink Enables Persistent Access
A new cloud-native Linux malware framework named VoidLink has emerged, specifically targeting cloud environments. This sophisticated framework offers attackers a suite of custom loaders, implants, rootkits, and plugins designed for enhanced stealth, reconnaissance, privilege escalation, and lateral movement within compromised networks. VoidLink is engineered for long-term access, surveillance, and data collection, eschewing short-term disruption for sustained control. Operators can manage its components via a web-based dashboard reportedly localized for Chinese users.
A key feature of VoidLink’s architecture is its emphasis on automated evasion. The malware profiles the Linux environment to intelligently select the most effective strategies for operating undetected. If signs of tampering or analysis are detected on an infected machine, it can self-delete and activate anti-forensics modules to erase traces of its activity. Its extensive feature set includes rootkit capabilities, an in-memory plugin system for extensibility, and the ability to dynamically adjust its evasion techniques based on detected security products. Check Point noted that VoidLink draws inspiration from Cobalt Strike and reflects a level of planning typically associated with professional threat actors. While its exact purpose remains unclear and no real-world infections have been confirmed, it is believed to be developed either as a commercial product or for a specific client.
Microsoft Disrupts RedVDS Criminal Service
Microsoft, in coordination with legal partners in the U.S. and the U.K., has successfully disrupted RedVDS, a cybercriminal subscription service facilitating fraud campaigns that resulted in millions of dollars in losses. Microsoft announced the seizure of RedVDS’s website and infrastructure, a platform that provided cybercrime-as-a-service tools for phishing and fraud at monthly costs as low as $24. This service is estimated to have cost victims in the U.S. alone over $40 million since March 2025.
Microsoft identified nearly 190,000 organizations globally impacted by RedVDS-supported campaigns. The service offered criminals access to inexpensive, disposable virtual computers running unlicensed software, including Windows, enabling large-scale phishing attacks and business email compromise (BEC) schemes. RedVDS was also linked to real estate payment diversion scams affecting thousands in Canada and Australia. The service operated by renting servers from third-party providers, allowing cybercriminals to conduct operations with minimal friction and rapid iteration of campaigns. Microsoft stated that RedVDS’s unrestricted administrative access and minimal logging enabled actors to operate with little oversight.
Over 550 Kimwolf Botnet C2 Nodes Null-Routed
Lumen Technologies’ Black Lotus Labs has reported blocking more than 550 command-and-control (C2) nodes associated with Aisuru and Kimwolf servers since October 2025. These botnets have gained notoriety for their involvement in orchestrating hypervolumetric distributed denial-of-service (DDoS) attacks. Kimwolf, which primarily targets Android TV boxes, has amassed a botnet of over two million devices. The disruption of the RapperBot and the arrest of its alleged leader in August 2025 are believed to have contributed to the rise of Aisuru and Kimwolf.
Recent research by QiAnXin XLab and Synthient highlighted how these botnets leverage proxy services to expand their reach. Infoblox reported that nearly 25% of its cloud customers queried a Kimwolf domain since October 1, 2025. Chris Formosa of Lumen Technologies’ Black Lotus Labs emphasized the widespread presence of these residential proxies, noting that many seemingly secure networks have devices running them, providing attackers potential footholds and bypassing existing security measures. This pervasive use of residential proxies presents a significant challenge for network defenders.
Reprompt Attack Targets Microsoft Copilot
Security researchers have identified a new attack named Reprompt, capable of exfiltrating user data from Microsoft Copilot by exploiting a specially crafted link. This attack bypasses existing data leak protections and allows for persistent session exfiltration even after a Copilot session has been closed. The technique utilizes a combination of Parameter 2 Prompt (P2P) injection, a double-request method, and a chain-request technique to achieve data exfiltration.
Varonis stated that client-side monitoring tools are unlikely to detect these malicious prompts, as the data exfiltration occurs dynamically during back-and-forth communication, not from obvious elements within the user’s initial prompt. This attack did not affect enterprise customers using Microsoft 365 Copilot, and Microsoft has since addressed the vulnerability.
AWS CodeBuild Misconfiguration Creates Supply Chain Risks
A critical misconfiguration within Amazon Web Services (AWS) CodeBuild, codenamed CodeBreach, could have potentially allowed for a complete takeover of AWS’s own GitHub repositories, including its AWS JavaScript SDK. This vulnerability, fixed by AWS in September 2025, posed a risk to every AWS environment. Wiz reported that exploiting CodeBreach could have enabled attackers to inject malicious code, leading to a platform-wide compromise affecting applications dependent on the SDK and the AWS Console itself, thereby threatening all AWS accounts.
Trending CVEs This Week
The rapid pace at which hackers can exploit new vulnerabilities highlights the constant threat landscape. A single unpatched update can lead to significant breaches. This week’s most critical security flaws demand immediate attention.
Key vulnerabilities include CVE-2025-64155 (Fortinet FortiSIEM) and CVE-2025-20393 (Cisco AsyncOS Software). Other notable CVEs span a wide range of software, including Palo Alto Networks PAN-OS (CVE-2026-0227), Microsoft Windows (CVE-2026-20805), ServiceNow (CVE-2025-12420), Node.js (CVE-2025-59466, CVE-2025-59465), Apache Struts 2 (CVE-2025-68493), Angular (CVE-2026-22610), Hikvision devices (CVE-2025-66176, CVE-2025-66177), SAP (CVE-2026-0501, CVE-2026-0500, CVE-2026-0498, CVE-2026-0491), Mailpit (CVE-2026-21859, CVE-2026-22689), OpenProject (CVE-2026-22601 to CVE-2026-22604), Cal.com (CVE-2026-23478), and several plugins such as Demo Importer Plus (CVE-2025-14364), News and Blog Designer Bundle (CVE-2025-14502), and Integration Opvius AI for WooCommerce (CVE-2025-14301). Additionally, vulnerabilities in PagerDuty Runbook (CVE-2025-52493), ASP.NET Core Kestrel server (CVE-2025-55315), Microsoft Windows Admin Center (CVE-2026-20965), and Livewire Filemanager (CVE-2025-14894) were also highlighted.
Around the Cyber World
Unpatched Flaw in Livewire Filemanager: A disclosed but unpatched security flaw (CVE-2025-14894) in Livewire Filemanager, a component for Laravel-based websites, allows threat actors to upload and execute malicious PHP files remotely. CERT/CC noted that this enables unauthenticated arbitrary code execution on the host device.
More GhostPoster Extensions Spotted: LayerX has identified a new cluster of 17 browser extensions linked to GhostPoster, impacting Chrome and Edge users. These extensions, designed to hijack affiliate links and inject tracking code, have accumulated over 840,000 installs and date back to 2020. GhostPoster is part of a broader campaign attributed to a Chinese threat actor known as DarkSpectre.
RedLineCyber Distributes Clipboard Hijacking Malware: A threat actor, RedLineCyber, is reportedly using the notoriety of the RedLine information stealer to distribute a Python-based clipboard hijacking trojan, “Pro.exe” or “peeek.exe.” This malware monitors the Windows clipboard for cryptocurrency wallet addresses and replaces them with the attacker’s own to facilitate theft. CloudSEK reports distribution occurs through social engineering within Discord communities focused on gaming, gambling, and cryptocurrency.
Fake Shipping Documents Deliver Remcos RAT: A phishing campaign utilizing shipping-themed lures is distributing a new variant of Remcos RAT. Recipients are tricked into opening a malicious Microsoft Word document that exploits a legacy Microsoft Office flaw (CVE-2017-11882) to execute the RAT directly in memory. The RAT enables comprehensive data gathering and system control capabilities.
Google Releases Rainbow Tables for Net-NTLMv1: Google’s Mandiant threat intelligence division has released a comprehensive dataset of Net-NTLMv1 rainbow tables to expedite the deprecation of this outdated protocol. While Microsoft plans to move away from NTLM, Net-NTLMv1 continues to be used, leaving organizations vulnerable to credential theft. The released dataset allows for key recovery using consumer hardware in under 12 hours.
Former U.S. Navy Sailor Sentenced for Spying for China: A former U.S. Navy sailor, Jinchao Wei, has been sentenced to 200 months in prison for selling national defense secrets to China. Wei, who had access to sensitive information about the U.S.S. Essex, provided thousands of documents and operational manuals to a Chinese intelligence officer in exchange for over $12,000.
Australia Warns Domestic Firms About AI Security Risks: The Australian Signals Directorate (ASD) has cautioned Australian businesses against uploading sensitive customer data to AI chatbots and generative AI platforms without proper anonymization. The ASD highlighted risks of data reuse, potential hallucinations, and vulnerabilities to prompt injection attacks. Secure deployment of AI chatbots and due diligence regarding AI providers are emphasized.
Jordan National Pleads Guilty to Selling Access: A Jordanian national, Feras Khalil Ahmad Albashiti, has pleaded guilty in the U.S. to charges related to selling network access to at least 50 companies through a cybercriminal forum. Albashiti, operating under the alias “r1z,” marketed services including malware droppers and exploit access, and is facing a maximum penalty of 10 years imprisonment.
Google Agrees to Pay $8.25M for Children’s Privacy Violations: Google has agreed to pay $8.25 million to settle a class-action lawsuit alleging the company illegally collected data from children under 13 via apps containing its AdMob SDK, violating the Children’s Online Privacy Protection Act (COPPA).
U.S. Bank Targeted by Keylogger: Sansec identified a keylogger on a major U.S. bank’s employee merchandise store, designed to intercept login credentials, payment card numbers, and personal information. The malware, which has since been removed, used an image beacon for data exfiltration and shows infrastructure similarities to a previous breach of the Green Bay Packers Pro Shop.
Payroll Pirates Redirect Paychecks via Social Engineering: Threat actors known as Payroll Pirates compromised an unnamed organization’s payroll system through social engineering. By impersonating employees and performing password resets, they successfully altered direct deposit details, redirecting paychecks to accounts under their control. The incident was discovered when employees reported missing paychecks.
New Attack Uses DLL Side-Loading for PDFSIDER Malware: An unknown threat actor is using DLL side-loading to deploy the PDFSIDER backdoor malware, which features encrypted C2 capabilities. The malware operates primarily in memory, minimizing disk artifacts and utilizing a fake cryptbase.dll to evade endpoint detection mechanisms. It is delivered via spear-phishing emails.
Conclusion
The pervasive and interconnected nature of modern cyber threats demands a unified defense strategy. Attackers no longer view cloud platforms, AI tools, and enterprise software as isolated entities but as a single, interconnected environment ripe for exploitation. Consequently, defenders must adopt a similar holistic approach, continuously monitoring all aspects of their digital infrastructure. The events of this week serve as a stark reminder that even seemingly minor vulnerabilities or misconfigurations can create significant entry points for malicious actors. Every update, configuration, and access control is critical, as the next attack is likely to originate from a compromised element already within the system. This recap underscores the persistent challenge of closing security gaps before they can be exploited in the ongoing battle against cyber threats.