Fortinet Exploit, Chrome 0-Day, BadIIS Malware, File DDoS, SaaS Breach & Extra

This week noticed a variety of new cyber bother. Hackers hit Fortinet and Chrome with new 0-day bugs. Additionally they broke into provide chains and SaaS instruments. Many hid inside trusted apps, browser alerts, and software program updates.

Massive companies like Microsoft, Salesforce, and Google needed to react quick — stopping DDoS assaults, blocking unhealthy hyperlinks, and fixing dwell flaws. Studies additionally confirmed how briskly pretend information, AI dangers, and assaults on builders are rising.

This is what mattered most in security this week.

⚡ Menace of the Week

Fortinet Warns of One other Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned {that a} new security flaw in FortiWeb has been exploited within the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS rating of 6.7 out of a most of 10.0. It has been addressed in model 8.0.2. “An Improper Neutralization of Particular Components utilized in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb might enable an authenticated attacker to execute unauthorized code on the underlying system through crafted HTTP requests or CLI instructions,” the corporate mentioned. The event got here days after Fortinet confirmed that it silently patched one other vital FortiWeb vulnerability (CVE-2025-64446, CVSS rating: 9.1) in model 8.0.2. Though the corporate has not clarified if the exploitation exercise is linked, Orange Cyberdefense mentioned it noticed “a number of exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s dealing with of the problem has are available in for heavy criticism. It is doable that the corporate was conscious however selected to not disclose them to keep away from alerting different risk actors to their existence till a majority of its prospects had utilized the patch. However what’s tough to elucidate at this stage is why Fortinet opted to reveal the issues 4 days aside.

🔔 High Information

• Google Patches New Actively Exploited Chrome 0-Day — Google launched security updates for its Chrome browser to deal with two security flaws, together with one which has come beneath energetic exploitation within the wild. The vulnerability in query is CVE-2025-13223 (CVSS rating: 8.8), a kind confusion vulnerability within the V8 JavaScript and WebAssembly engine that might be exploited to attain arbitrary code execution or program crashes. Clément Lecigne of Google’s Menace Evaluation Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any particulars on who’s behind the assaults, who might have been focused, or the dimensions of such efforts. Nevertheless, the tech big acknowledged that an “exploit for CVE-2025-13223 exists within the wild.” With the most recent replace, Google has addressed seven zero-day flaws in Chrome which were both actively exploited or demonstrated as a proof-of-concept (PoC) because the begin of the 12 months.
• Matrix Push C2 Makes use of Browser Extensions to Take Customers to Phishing Pages — Unhealthy actors are leveraging browser notifications as a vector for phishing assaults to distribute malicious hyperlinks by way of a brand new command-and-control (C2) platform known as Matrix Push C2. In these assaults, potential targets are tricked into permitting browser notifications by social engineering on malicious or legitimate-but-compromised web sites. As soon as a consumer agrees to obtain notifications from the location, the attackers benefit from the net push notification mechanism constructed into the net browser to ship alerts that seem like they’ve been despatched by the working system or the browser itself. The service is offered for about $150 for one month, $405 for 3 months, $765 for six months, and $1,500 for a full 12 months. The truth that the software is platform-agnostic means it might be favoured by risk actors trying to conduct credential theft, fee fraud, and cryptocurrency scams. Countering such dangers requires browser distributors to implement stronger abuse protections, reminiscent of utilizing a popularity system to flag sketchy websites and mechanically revoking notification permissions for suspicious websites.
• PlushDaemon APT Makes use of EdgeStepper to Hijack Software program Updates — The risk actor referred to as PlushDaemon has been noticed utilizing a beforehand undocumented Go-based community backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) assaults. EdgeStepper is positioned between a sufferer and the community edge, monitoring requests for sure well-liked Chinese language software program merchandise, such because the Sogou Pinyin Technique enter editor, the Baidu Netdisk cloud service, multipurpose instantaneous messenger Tencent QQ, and the free workplace suite WPS Workplace. If one such software program replace request is discovered EdgeStepper will redirect it to PlushDaemon’s infrastructure, ensuing within the obtain of a trojanized replace. The assaults result in the deployment of SlowStepper.
• Salesforce Warns of Unauthorized Data Entry through Gainsight-Linked Apps — Salesforce alerted prospects of “uncommon exercise” associated to Gainsight-published purposes related to the platform. The cloud providers agency mentioned it has taken the step of revoking all energetic entry and refresh tokens related to Gainsight-published purposes related to Salesforce. It has additionally briefly eliminated these purposes from the AppExchange as its investigation continues. Gainsight mentioned the Gainsight app has been briefly pulled from the HubSpot Market and Zendesk connector entry has been revoked as a precautionary measure. The marketing campaign has been attributed by Google to ShinyHunters, with the group assessed to have stolen knowledge from greater than 200 doubtlessly affected Salesforce situations. Cybersecurity firm CrowdStrike additionally mentioned it terminated a “suspicious insider” final month for allegedly passing insider data to Scattered LAPSUS$ Hunters. A member of the extortionist crew informed The Register they obtained entry to Gainsight following the Salesloft Drift hack earlier this 12 months. The incident as soon as once more underscores the security threat posed by the SaaS integration provide chain, the place breaching a single vendor acts as a gateway into dozens of downstream environments.
• Microsoft Mitigates File 15.72 Tbps DDoS Attack — Microsoft disclosed that it mechanically detected and neutralized a distributed denial-of-service (DDoS) assault focusing on a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and almost 3.64 billion packets per second (pps). The tech big mentioned it was the biggest DDoS assault ever noticed within the cloud, and that it originated from a TurboMirai-class Web of Issues (IoT) botnet referred to as AISURU. It is at the moment not recognized who was focused by the assault. In keeping with knowledge from QiAnXin XLab, the AISURU botnet is powered by almost 300,000 contaminated gadgets, most of that are routers, security cameras, and DVR programs. It has been attributed to a number of the greatest DDoS assaults recorded thus far. In a report revealed final month, NETSCOUT labeled the DDoS-for-hire botnet as working with a restricted clientele. QiAnXin XLab informed The Hacker Information {that a} botnet named Kimwolf is probably going linked to the group behind AISURU, including one in every of Kimwolf’s C2 domains lately surpassed Google in Cloudflare’s listing of high 100 domains, particularly, 14emeliaterracewestroxburyma02132[.]su.

‎️‍🔥 Trending CVEs

Hackers act quick. They’ll use new bugs inside hours. One missed replace could cause a giant breach. Listed below are this week’s most critical security flaws. Examine them, repair what issues first, and keep protected.

This week’s listing contains — CVE-2025-9501 (W3 Whole Cache plugin), CVE-2025-62765 (Lynx+ Gateway), CVE-2025-36251, CVE-2025-36250 (IBM AIX), CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, CVE-2025-60676 (D-Hyperlink DIR-878 routers), CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 (SolarWinds Serv-U), CVE-2025-40601 (SonicWall SonicOS), CVE-2025-50165 (Home windows Graphics), CVE-2025-9316, CVE-2025-11700 (N-able N-central), CVE-2025-13315, CVE-2025-13316 (Twonky Server), CVE-2024-24481, CVE-2025-13207 (Tenda N300 collection and Tenda 4G03 Professional), CVE-2025-13051 (ASUSTOR), CVE-2025-49752 (Azure Bastion), CVE-2024-48949, CVE-2024-48948 (elliptic), and a TLS verification bypass vulnerability in GoSign Desktop (no CVE).

📰 Across the Cyber World

• Malicious VS Code Extension Taken Down — A malicious Visible Studio Code extension was discovered making an attempt to capitalize on the official “Prettier” model to reap delicate knowledge. The extension, named “publishingsofficial.prettier-vscode-plus,” was revealed to the Microsoft Extension Market on November 21, 2025. The extension, as soon as put in, launches a batch script that is accountable for operating a Visible Primary Script file designed to execute a stealer malware. “The payload system inserted into the malicious extension seems designed to evade widespread anti-malware and static scanning techniques,” Checkmarx mentioned. “It is a multi-stage assault that ends with deploying and operating what seems to be a variant of the Anivia Stealer malware; this malware acquires and exfiltrates credentials, metadata, and personal data like WhatsApp chats from Home windows machines.” The extension has since been taken down.
• 100s of English-Language Web sites Hyperlink to Professional-Kremlin Propaganda — A brand new examine from the Institute for Strategic Dialogue (ISD) has revealed that lots of of English-language web sites between July 2024 and July 2025, together with information shops, fact-checkers, and educational establishments, are linking to articles from a pro-Kremlin community named Pravda that is flooding the web with disinformation. “Roughly 900 websites from throughout the political spectrum, starting from main information shops to fringe blogs, have linked to Pravda community articles over the noticed year-long interval,” ISD mentioned. “A reviewed pattern of greater than 300 English-language websites included U.S. nationwide and native information shops, distinguished sources of political commentary, in addition to fact-checking and educational establishments.” It is assessed that the Pravda community makes use of a high-volume technique to affect massive language fashions (LLMs) like of ChatGPT and Gemini and seed them with pro-Russia narratives, a course of known as LLM grooming. The community has been energetic since 2014, churning out greater than 6 million articles.
• Anthropic Finds Reward Hacking Results in Extra Misalignment — A brand new examine from synthetic intelligence (AI) firm Anthropic revealed that enormous language fashions (LLMs) skilled to “reward hack” by dishonest on coding duties exhibit much more misaligned conduct, together with sabotaging AI security analysis. “After they study to cheat on software program programming duties, they go on to show different, much more misaligned behaviors as an unintended consequence,” the corporate mentioned. “These embody regarding behaviors like alignment faking and sabotage of AI security analysis.”
• Microsoft to Embody Sysmon into Home windows 11 — Microsoft mentioned it is going to add Sysmon, a third-party app from the Sysinternals bundle, into future variations of Home windows 11 to assist with security log evaluation. “Subsequent 12 months, Home windows updates for Home windows 11 and Home windows Server 2025 will deliver Sysmon performance natively to Home windows,” the tech big mentioned. “Sysmon performance lets you use customized configuration information to filter captured occasions. These occasions are written to the Home windows occasion log, enabling a variety of use instances, together with by security purposes.”
• Extra Than 150 Remcos RAT Servers Discovered — Attack floor administration platform Censys mentioned it persistently tracked over 150 energetic Remcos RAT command-and-control (C2) servers between October 14 and November 14, 2025. “Most servers listened on port 2404, generally related to Remcos, with extra use of ports 5000, 5060, 5061, 8268, and 8808, exhibiting deployment flexibility,” the corporate mentioned. “A subset of hosts uncovered Server Message Block (SMB) and Distant Desktop Protocol (RDP), suggesting some operators additionally use native Home windows providers for administration. Internet hosting concentrated in the USA, the Netherlands, and Germany, with smaller clusters in France, the UK, Turkey, and Vietnam.”
• PyPI to Require E mail Verification for TOTP Logins — The Python Package deal Index (PyPI) portal will now require email-based verification for all Time-based One-Time Password (TOTP) logins coming from new developer gadgets. “Customers who’ve enabled WebAuthn (security keys) or passkeys for 2FA is not going to see any modifications, as these strategies are inherently phishing-resistant,” PyPI mentioned. “They cryptographically bind the authentication to the particular web site (origin), which means an attacker can not trick you into authenticating on a pretend web site, not like TOTP codes, which will be phished.”
• Blockade Spider’s Cross-Area Attacks Detailed — A financially motivated risk actor referred to as Blockade Spider has been attributed to utilizing cross-domain strategies in its ransomware campaigns since at the very least April 2024. The e-crime group makes use of Embargo ransomware and knowledge theft to monetize their operations. “They achieve entry by unmanaged programs, dump credentials, and transfer laterally to virtualized infrastructure to remotely encrypt information with Embargo ransomware,” CrowdStrike mentioned. “They’ve additionally demonstrated the flexibility to focus on cloud environments.” In a single case beforehand flagged by the corporate, the risk actor added compromised customers to a “No MFA” Energetic Listing group, circumvented security controls, and deployed ransomware whereas evading conventional detection programs.

• JSGuLdr Loader Delivers Phantom Stealer — A brand new multi-stage JavaScript-to-PowerShell loader has been put to make use of in cyber assaults, delivering an data stealer known as Phantom Stealer. “A JavaScript file triggers PowerShell by an Explorer COM name, pulls the second stage from %APPDATApercentRegistreri62, then makes use of Internet.WebClient to fetch an encrypted payload from Google Drive into %APPDATApercentAutorise131[.]Tel,” ANY.RUN mentioned. “The payload is decoded in reminiscence and loaded, with PhantomStealer injected into msiexec.exe.” The assault combines obfuscation and fileless in-memory loading strategies to sidestep detection. As a result of the ultimate payload runs totally in reminiscence inside a trusted course of, it permits risk actors to stealthily transfer throughout the community and steal knowledge.
• Apple Updates App Retailer Developer Tips — Apple up to date its developer pointers to require each app to reveal if it collects and shares consumer knowledge with AI firms, in addition to ask customers for permissions. “You could clearly disclose the place private knowledge will probably be shared with third events, together with with third-party AI, and acquire express permission earlier than doing so,” the corporate’s rule 5.1.2(i) now states. The modifications went into impact on November 13, 2025.
• Malware Marketing campaign Targets Microsoft IIS servers to Deploy BadIIS Malware — A malware marketing campaign dubbed WEBJACK has been noticed compromising Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware household. “The hijacked servers are being abused for search engine marketing poisoning and fraud, redirecting customers to on line casino, playing, or betting web sites,” WithSecure mentioned. “The risk actor has compromised high-profile targets, together with authorities establishments, universities, tech companies, and lots of different organizations, abusing their area popularity to serve fraudulent content material by search engine outcomes pages (SERPs).” The preliminary entry vector used within the assaults just isn’t recognized, though earlier BadIIS intrusions have leveraged weak internet purposes, stolen administrator credentials, and bought entry from initial-access brokers. The instruments and operational traits noticed level to a robust Chinese language nexus, a sample evidenced by the invention of comparable clusters in current months, reminiscent of GhostRedirector, Operation Rewrite, UAT-8099, and TOLLBOOTH.

• Phishing Scheme Targets WhatsApp Accounts — Tons of of victims throughout the Center East, Asia, and past have been ensnared in a brand new rip-off that leverages cloned login portals, low-cost domains, and WhatsApp’s personal “Linked Units” and one-time password workflows to hijack WhatsApp accounts. “Menace actors behind this marketing campaign create fraudulent web sites that intently imitate official WhatsApp interfaces, utilizing urgency-driven techniques to trick customers into compromising their accounts,” CTM360 mentioned. The marketing campaign has been codenamed HackOnChat. Over 9,000 phishing URLs have been uncovered thus far, with the websites hosted on domains registered with low-cost or much less regulated top-level domains reminiscent of .cc, .internet, .icu, and .high. Within the final 45 days, greater than 450 incidents have been recorded. “The attackers depend on two major strategies: Session Hijacking, the place the WhatsApp-linked machine characteristic is exploited to hijack WhatsApp internet periods, and the Account Takeover, which includes tricking victims into revealing their authentication key to grab full possession of their accounts,” the corporate added. “Malicious hyperlinks are utilizing templates of pretend security-alert verification, misleading WhatsApp Internet imitation pages, and spoofed group invitation messages, all designed to lure customers into these traps and allow the hacking course of.”
• Spike in Palo Alto Networks GlobalProtect Scanning — Menace intelligence agency GreyNoise has warned of one other wave of scanning exercise focusing on Palo Alto Networks GlobalProtect portals. “Starting on 14 November 2025, exercise quickly intensified, culminating in a 40x surge inside 24 hours, marking a brand new 90-day excessive,” the corporate mentioned. Between November 14 and 19, 2.3 million periods hitting the */global-protect/login.esp URI have been noticed. It is assessed that these assaults are the work of the identical risk actor based mostly on the recurring TCP/JA4t signatures and overlapping infrastructure.
• JustAskJacky is the Most Prevalent Menace in October 2025 — A malware household referred to as JustAskJacky emerged as probably the most pervasive risk in October 2025, adopted by KongTuke, Rhadamanthys, NetSupport RAT, and TamperedChef, in keeping with knowledge from Purple Canary. JustAskJacky, which emerged earlier this 12 months, is a “household of malicious NodeJS purposes that masquerade as a useful AI or utility software whereas conducting reconnaissance and executing arbitrary instructions in reminiscence within the background.”
• NSO Group Seeks to Overturn WhatsApp Case — Final month, a U.S. courtroom ordered Israeli business adware vendor NSO Group to cease focusing on WhatsApp. In response, the corporate has filed an attraction to overturn the ruling, arguing that the corporate will “undergo irreparable, doubtlessly existential accidents” and be pressured it out of enterprise. “And the injunction prohibits NSO from partaking in totally lawful conduct to develop, license, and promote merchandise utilized in approved authorities investigations — a prohibition that might devastate NSO’s enterprise and will properly drive it out of enterprise totally,” the movement reads.
• Ohio Contractor Pleads Responsible to Hacking Former Employer — Maxwell Schultz, a 35-year-old man from Ohio, pleaded responsible to expenses associated to hacking into the community of his former employer. The incident happened in 2021, after the unnamed firm terminated Schultz’s employment in its IT division. In keeping with the U.S. Justice Division, Schultz accessed the corporate’s community by impersonating one other contractor to acquire login credentials. “He ran a PowerShell script that reset roughly 2,500 passwords, locking hundreds of workers and contractors out of their computer systems nationwide,” the division mentioned. “Schultz additionally searched for methods to delete logs, PowerShell window occasions and cleared a number of system logs.” The incident brought about the corporate $862,000 in losses. Schultz admitted that he carried out the assault as a result of “he was upset about being fired.” He faces as much as 10 years in federal jail and a doable $250,000 most high-quality.
• Safety Flaws in Cline Bot AI — Safety vulnerabilities have been found in an open-source AI coding assistant known as Cline that might expose them to immediate injection and malicious code execution when opening specifically crafted supply code repositories. The problems have been addressed in Cline v3.35.0. “System prompts are usually not innocent configuration textual content. They form agent conduct, affect privilege boundaries, and considerably enhance attacker leverage when uncovered verbatim,” Mindgard researcher Aaron Portnoy mentioned. “Treating prompts as non-sensitive overlooks the fact that fashionable brokers mix language, instruments, and code execution right into a single operational floor. Securing AI brokers like Cline requires recognizing that prompts, software wiring, and agent logic are tightly related, and every have to be dealt with as a part of the security boundary.”

🎥 Cybersecurity Webinars

• Guardrails for Chaos: How you can Patch Quick With out Opening the Door to Attackers — Neighborhood instruments like Chocolatey and Winget assist groups patch software program quick. However they will additionally conceal dangers — previous code, lacking checks, and unsafe updates. Gene Moody from Action1 reveals tips on how to use these instruments safely, with clear steps to maintain pace and security in steadiness.
• Meet WormGPT, FraudGPT, and SpamGPT — the Darkish Aspect of AI You Must See — AI instruments are actually serving to criminals ship pretend emails. Names like WormGPT, FraudGPT, and SpamGPT can write or ship these messages quick. They make emails that look actual and might idiot individuals and filters. Many security instruments cannot sustain. Leaders must see how these assaults work and discover ways to cease them earlier than passwords get stolen.
• Misconfigurations, Misuse, and Missed Warnings: The New Cloud Safety Equation — Hackers are discovering new methods to interrupt into cloud programs. Some use weak id settings in AWS. Others conceal unhealthy AI fashions by copying actual ones. Some take too many permissions in Kubernetes. The Cortex Cloud crew will present how their instruments can spot these issues early and assist cease assaults earlier than they occur.

🔧 Cybersecurity Instruments

• YAMAGoya — A brand new free software from JPCERT/CC. It helps discover unusual or unsafe actions on Home windows in actual time. It watches information, packages, and community strikes, and checks reminiscence for hidden threats. It makes use of Sigma and YARA guidelines made by the security neighborhood. You possibly can run it with a window or from the command line. It additionally saves alerts to Home windows logs so different instruments can learn them.
• Metis — A free software made by Arm’s Product Safety Workforce. It makes use of AI to examine code for security issues. It helps discover small bugs that ordinary instruments miss. It really works with C, C++, Python, Rust, and TypeScript. You possibly can run it in your pc or add it to your construct system.

Disclaimer: These instruments are for studying and analysis solely. They have not been totally examined for security. If used the mistaken method, they might trigger hurt. Examine the code first, check solely in protected locations, and observe all guidelines and legal guidelines.

Conclusion

Every week proves that the cyber risk panorama by no means stands nonetheless. From patched vulnerabilities to sprawling botnets and ingenious new assault strategies, defenders are locked in a relentless race to remain forward. Even small lapses — a missed replace or a weak integration — can create main openings for attackers.

Staying forward calls for consideration to element, classes from each breach, and fast motion when alerts seem. Because the boundary between software program and security continues to blur, consciousness stays our strongest line of protection.

Keep tuned for subsequent week’s RECAP, the place we monitor the threats, patches, and patterns shaping the digital world.