VulnHub

A recent report from Proofpoint reveals a rise in phishing attacks that take advantage of Microsoft's OAuth device code flow. These campaigns target Microsoft 365 users, tricking them into providing access to their accounts through fake sign-in prompts. The attacks exploit the trust users place in the OAuth process, which is designed to facilitate secure authentication. As a result, individuals and organizations using Microsoft 365 could be at risk of unauthorized access to sensitive information. This surge in phishing attempts underscores the need for heightened awareness and vigilance among users to avoid falling victim to these scams.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a serious vulnerability, tracked as CVE-2025-59374, found in the Asus Live Update tool. This flaw acts as a backdoor that attackers can exploit, making it a significant concern for anyone using affected Asus devices. The vulnerability stems from a supply chain attack, meaning it was introduced during the software development process rather than through direct hacking. This situation puts users at risk, as the compromised update tool could allow unauthorized access to their systems. Asus users should take this warning seriously and ensure their devices are not vulnerable to exploitation.

This week’s ThreatsDay Bulletin reveals a variety of cybersecurity incidents where attackers are modifying existing tools and utilizing new tactics to exploit vulnerabilities. Notably, there are reports of WhatsApp accounts being hijacked, which can lead to unauthorized access to personal information and communications. Additionally, leaks related to Managed Cloud Providers (MCP) expose sensitive data, raising concerns for businesses relying on cloud services. Other activities involve advancements in AI reconnaissance techniques and the exploitation of the React2Shell vulnerability, which could impact numerous applications. As these tactics evolve, it’s crucial for users and organizations to stay vigilant and update their security measures to prevent potential breaches.

SonicWall has released patches for a medium-severity vulnerability in its SMA 1000 series, which has been exploited alongside a critical bug to enable remote code execution. This means that attackers could potentially gain control of affected devices, posing serious risks to organizations using this equipment. Users of SonicWall's SMA 1000 should prioritize applying the latest updates to safeguard their systems. The existence of this zero-day exploit indicates that the vulnerability was being actively exploited before it was disclosed, which raises concerns about the security of devices that have not yet been patched. Companies are urged to review their security measures and ensure they are using the most up-to-date software to protect against such threats.

A new vulnerability, tracked as CVE-2025-20393, has been discovered in Cisco's Secure Email Gateway and Secure Email and Web Manager appliances. This zero-day flaw is reportedly being exploited by hackers linked to China, posing a significant risk to organizations using these products. The vulnerability allows attackers to bypass security controls, potentially leading to unauthorized access and data breaches. Companies using these Cisco appliances should prioritize patching and monitoring their systems to mitigate the risks associated with this exploit. The discovery of this flaw is particularly concerning given the ongoing cyber threats targeting critical infrastructure and enterprise environments.

In October 2025, Kaspersky reported a new wave of phishing attacks linked to a group known as Operation ForumTroll, specifically targeting Russian scholars. These attackers are using fake emails that appear to come from a legitimate eLibrary service to lure victims into providing sensitive information. This shift from targeting organizations in the spring to focusing on individuals in the fall raises concerns about the attackers' evolving strategies. The origins of the threat actor remain unclear, but the targeted approach suggests a calculated effort to exploit the academic community. Such incidents can lead to significant data breaches and have serious implications for both personal and institutional security.

Amazon has alerted users that Sandworm, a group associated with Russia's military intelligence, has changed its approach to cyberattacks. Instead of exploiting software vulnerabilities, the group is now targeting poorly configured network edge devices to maintain access to their targets. This shift raises concerns for organizations that may not have secured their network configurations adequately. The focus on these devices suggests attackers are adapting their strategies to exploit weaknesses in network management rather than relying on traditional software flaws. This change could lead to increased risks for various industries, especially those with critical infrastructure that may be vulnerable due to lax network settings.

Ransomware groups are increasingly targeting hypervisors, which are the underlying technology that allows multiple virtual machines to run on a single physical server. This approach enables attackers to encrypt multiple virtual machines simultaneously with a single breach, significantly increasing the impact of their attacks. Researchers at Huntress have found that these attackers exploit gaps in visibility and security at the hypervisor layer. Organizations need to take proactive steps to secure their virtualization infrastructure against these threats. This includes implementing stricter access controls, regular monitoring, and keeping systems updated to defend against potential ransomware attacks that can disrupt operations and lead to data loss.

A recent study has revealed that most parked domains—those that are expired, dormant, or commonly misspelled versions of popular sites—are now being used to host malicious content. These domains are redirecting users to scam sites or distributing malware, creating significant risks for individuals who may unknowingly type in these addresses. This trend highlights the dangers of direct navigation, where users enter URLs manually. As attackers exploit these parked domains, both casual internet users and organizations may find themselves vulnerable to online scams and security breaches. Awareness and caution are essential for users to avoid falling victim to these tactics.

Fortinet FortiGate devices are currently under active attack due to two recently disclosed vulnerabilities, CVE-2025-59718 and CVE-2025-59719, which allow for authentication bypass through malicious single sign-on (SSO) logins. Cybersecurity firm Arctic Wolf reported observing these attacks on December 12, 2025, just days after the vulnerabilities were made public. This situation poses significant risks for organizations using FortiGate appliances, as attackers can potentially gain unauthorized access to sensitive systems. Companies using these devices should take immediate action to protect their networks and data from these ongoing intrusions.

Google's threat intelligence team has identified five additional Chinese hacking groups involved in exploiting the React2Shell vulnerability, which allows for remote code execution. This vulnerability is considered highly severe, making it a significant risk for affected systems. The groups are believed to be using this exploit to target various organizations, potentially compromising sensitive data and disrupting operations. The identification of these groups emphasizes the ongoing threat posed by state-sponsored hackers and the need for organizations to bolster their defenses against such attacks. Companies that utilize affected software should take immediate action to mitigate risks associated with this vulnerability.