BMC Daily Cyber News

This is today’s cyber news for November twenty fourth twenty twenty five. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

First today, Salesforce customers are dealing with the fallout of a supply chain breach where attackers slipped into the Gainsight customer success platform and quietly siphoned data through trusted connections. Investigators say the ShinyHunters group claimed access to data from more than two hundred companies by abusing those integrations into core Salesforce environments. The key risk is that apps meant to help manage relationships instead provided broad read access to contact details, opportunity pipelines, and support history without raising instant alarms. For many listeners this will feel unsettling. The current status is that Salesforce has revoked some Gainsight connections and urges customers to review scopes and logs while Gainsight continues its own investigation.

Meanwhile, a serious flaw in Oracle Identity Manager has turned a central sign on system into a potential launch pad for account takeovers across entire enterprises. The weakness sits inside Oracle Fusion Middleware and allowed unauthenticated requests to reach sensitive functions that should always demand strong credentials, opening a path to run code or change high value access. The United States Cybersecurity and Infrastructure Security Agency, C I S A, has already added this bug to its catalog of exploited vulnerabilities, which signals that attackers are not waiting for slow patchers. One short point matters here. Oracle has shipped fixes, but the real question is how quickly organizations can patch or isolate identity servers that often sit at the heart of finance and human resources systems.

Over in the cloud, a critical bug in Microsoft Azure Bastion means the bastion host that should shield virtual servers can instead be used to pry them open. Researchers found that a crafted request could bypass authentication checks altogether and be treated as a trusted session into the jump host, turning a safety barrier into a convenient doorway. This is especially dangerous for teams that rely on internet facing Bastion instances as their main route into production machines, assuming those boxes are less risky than standard remote desktop endpoints. One sentence can be simple here. Microsoft has released fixed versions for Azure Bastion, but security teams still need to confirm that all instances are updated and that logs do not show suspicious administrative sessions during the vulnerable window.

In another case, a maximum severity bug in Grafana Enterprise shows how identity plumbing can quietly promote ordinary users into powerful administrators who can see and change almost everything. The issue sits in how the System for Cross domain Identity Management, often called SCIM, provisions users from an external directory into Grafana teams and roles. With the right crafted provisioning payload, new accounts could land directly in administrator roles, especially dangerous if an attacker had already compromised the upstream identity provider. A short takeaway is that observability is not low risk. Grafana’s maintainers have issued patched releases, and organizations are being urged to update quickly, review SCIM mappings, and audit recent admin account creation events for anything that does not match known groups.

Rounding out the top five, a critical flaw in the popular Seven Zip file compression tool shows how a tiny utility can clobber bigger defenses when it is left unmanaged. Researchers showed that malicious archives using symbolic links could escape the intended extraction folder and overwrite files elsewhere on the system, especially when run with elevated rights on shared servers or administrative workstations. A public proof of concept exploit is already circulating, and many copies of Seven Zip sit outside formal inventory because they were installed manually by users or bundled into old toolkits. One clear point stands out. The developer has released fixed versions, but security teams now face the slow work of finding every copy, standardizing on a safe release, and watching endpoint telemetry for risky extraction behavior.

Attackers just got an easier way to hit Fortinet FortiWeb devices because the full exploit chain is now built into Metasploit. Researchers describe how multiple bugs can be linked together so a remote attacker can move from probing a login page to taking control of the web application firewall, W A F, that protects important sites. This shift turns a specialist technique into something that less skilled actors can simply run from a menu. For security teams this means that any exposed FortiWeb appliance that missed earlier patch cycles is now a tempting target on the open internet, especially when it sits in front of customer portals or partner tools. The current status is that Fortinet has already shipped fixes, but organizations must still confirm patches, review configurations, and scan logs for odd admin logins or new rules.

SonicWall customers are facing a different kind of trouble because a flaw in some firewall models can be triggered through virtual private network, V P N, traffic to repeatedly crash the device. Reports explain that malformed packets on remote access tunnels can push affected appliances into reboot loops, which translates directly into lost connectivity for branch offices and remote workers. This is not a data theft scenario, yet it functions like a simple and effective denial of service when there is no backup link. For many companies the bigger business risk is discovering during peak hours that a single overworked firewall is the only path into a site or warehouse that must stay online. The vendor has offered patched firmware and guidance, so teams now need to schedule upgrades and check monitoring dashboards for unexplained reboots or drops in V P N sessions.

Another story centers on SolarWinds Serv U, where three critical flaws that allow remote code execution have now been patched but still hang over unpatched servers. Investigators note that these bugs can be used by an unauthenticated attacker on the internet to move from the file transfer login page into full control of the host that runs it. That kind of shift matters because Serv U often sits at the edge of networks handling sensitive uploads and downloads between partners who assume the server is trustworthy. For many enterprises this brings back memories of the earlier SolarWinds supply chain crisis and raises questions about how exposed legacy file transfer services remain today. The present state is that updated Serv U versions are available, and defenders are urged to inventory every instance, especially older ones, and dig through logs for strange logins or new executables around the time patches were released.

On the consumer and business messaging front, WhatsApp is under scrutiny after researchers showed that its contact discovery feature could be abused to map roughly three and a half billion user accounts. By automating the process of checking which phone numbers are registered on the platform, the research team essentially turned WhatsApp into a massive directory that reveals who is reachable and where campaigns might hit hardest. This demonstration did not break message encryption, yet it pried open a rich source of profiling data that could feed targeted scams, harassment, or even state surveillance. For people who rely on WhatsApp for sensitive chats, especially journalists, activists, and executives, the work is a reminder that metadata and account discovery can be almost as revealing as content. Meta has made some adjustments since the study, but organizations still need to treat consumer messaging apps as partially exposed channels and monitor for follow on phishing that references phone numbers and identities harvested this way.

The fifth story in this block takes us to Taiwan and a multi year espionage campaign called BadAudio that has been linked to a group researchers name advanced persistent threat, A P T, twenty four. Investigators say the operators compromised legitimate software vendors and updates so that when customers installed trusted packages, they unknowingly pulled down malware able to record audio and siphon other sensitive data. That patient strategy turned normal software supply chains into covert listening posts on government and technology networks, and it reportedly touched more than one thousand domains before being uncovered. For defenders this campaign underlines how even well segmented environments can be quietly reached when the attack rides on signed updates from familiar companies instead of obvious phishing lures. The current understanding is that vendors and security firms have begun dismantling the BadAudio infrastructure, yet organizations in the region still need to review which suppliers they trust, examine update logs, and watch for odd outbound traffic from systems that received recent software upgrades.

That’s the BareMetalCyber Daily Brief for November twenty fourth twenty twenty five. For more, visit Bare Metal Cyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.