Daily Cyber News – October 23rd, 2025
This is today’s cyber news for October 23rd, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Attackers are actively exploiting a critical flaw in Adobe Commerce and Magento that lets them hijack customer sessions and skim checkout data. This matters because stolen card details and account takeovers turn directly into lost revenue and chargebacks. E-commerce teams running third-party plugins or custom themes are most exposed because patching lags and complexity slow fixes. Watch for new JavaScript on payment pages and network calls to unfamiliar domains right after checkout. First step: patch immediately and run integrity checks to confirm there’s no unknown code or session anomalies.
A China-linked group is using a SharePoint exploit chain nicknamed ToolShell to take over on-prem servers even after patches. The business risk is high because compromised collaboration servers expose files, credentials, and downstream systems that keep the company running. Telecom and public-sector environments with internet-facing SharePoint and incomplete key rotation are most exposed. Watch for failed patch states on farms and unusual outbound connections from SharePoint hosts. First step: patch, rotate machine keys, and check for web shells or unauthorized modules in one maintenance window.
A high-severity bug in Rust’s async-tar lets crafted TAR archives bypass path handling and potentially execute code. That matters for organizations whose build systems and data pipelines automatically unpack nested archives with elevated permissions. CI/CD environments and ingest workflows that process untrusted files are most exposed to silent compromise. Watch for unexpected file writes outside intended directories and new binaries appearing after ingestion jobs. First step: update affected libraries and disable automated extraction of untrusted archives until you can verify no traversal artifacts exist.
Researchers showed common AI agents can be tricked into running system commands through argument-injection and prompt abuse. The impact is that a simple chat prompt can become a system action, leading to data exfiltration or shell execution on developer machines and internal tools. Teams piloting agents without strong isolation and approvals are the most exposed. Watch for agents invoking shells or package managers and outbound requests to new domains right after prompts. First step: lock down tool permissions with an allowlist and route agent traffic through a proxy.
A flaw in a Model Context Protocol registry exposed more than three thousand servers and thousands of API keys, and researchers found malicious packages that forwarded secrets. The business risk is cascading data exposure because stolen keys unlock many connected tools at once. Organizations that quickly adopted connectors without central inventory are most exposed. Watch for unexpected connector downloads and sudden spikes in API usage tied to agent service accounts. First step: rotate keys immediately, disable unneeded connectors, and verify registry sources before any new installs.
C I S A trimmed its international and industry partnership arm, reducing capacity for joint cyber programs with critical infrastructure. That matters because smaller utilities and hospitals often rely on federal convenings for guidance and surge support during big incidents. Operators without mature internal security teams are most exposed to slower advisories and fewer tabletop exercises. Watch for longer gaps between sector alerts and declining attendance or cadence in your information-sharing meetings. First step: lock in non-federal sharing routes now and pre-schedule quarterly cross-sector drills.
Iran-linked MuddyWater ran a phishing campaign that dropped a lightweight “Phoenix” backdoor into government networks. The business risk is quiet data theft and account compromise that can ripple across ministries and shared services. Public-sector tenants with legacy authentication and unsegmented workstations are most exposed. Watch for suspicious PowerShell or W M I activity from user accounts and anomalous OAuth consent grants in tenant logs. First step: block macros, disable legacy auth, and verify no new OAuth consents or scheduled tasks within forty-eight hours.
A one-day spearphishing burst hit Ukraine relief organizations with fake captcha pages that triggered a WebSocket-based remote tool. This matters because short, surgical phishing sprints can empty inboxes and steal documents before takedowns land. NGOs with volunteer devices and mixed email tenants are the most exposed. Watch for browser WebSocket traffic to brand-new domains and desktop browsers spawning PowerShell unexpectedly. First step: enforce conditional access and safe links, and block WebSocket egress to new domains until controls harden.
A long-quiet espionage crew dubbed PassiveNeuron returned with server-focused implants and tighter operational security. The business impact is durable footholds on middleware, file servers, and mail gateways that enable ongoing data theft. Finance, government, and telecom environments with outdated admin consoles are most exposed. Watch for new scheduled tasks on servers and odd rundll32 or mshta processes tied to service accounts. First step: close or patch legacy admin interfaces and block management ports at the edge while you review scheduled tasks.
Canadian regulators fined crypto processor Cryptomus one hundred seventy-six million dollars for anti-money-laundering failures tied to cybercrime flows. That’s important because penalties and de-banking can suddenly disrupt merchants and exchanges that depend on a single processor. Businesses riding third-party crypto payment rails are most exposed to settlement delays and service cutoffs. Watch for spikes in failed settlements and creation of new merchant A P I keys outside business hours. First step: reassess payment dependencies, demand AML attestations, and set alerts for settlement anomalies.
A U.S. court permanently blocked N S O Group from touching WhatsApp systems and awarded about four million dollars in damages. That matters because it raises legal and reputational risk for surveillance vendors and any customers considering their tools. Organizations in high-risk regions and teams with sensitive mobile communications are most exposed to spyware-style probing. Watch for unusual WhatsApp call attempts from unknown numbers and mobile crash logs that align with missed calls. First step: suspend any exceptions for commercial spyware and confirm mobile E D R coverage and signaling alerts.
T P-Link pushed urgent firmware for Omada gateways after researchers disclosed critical flaws that enable takeovers. The risk is that compromised edge devices can reroute traffic, open tunnels inward, and watch everything passing through. Small and mid-sized businesses with internet-exposed management or cloud-only visibility are most exposed. Watch for new admin accounts on gateways and configuration diffs that add odd port forwards. First step: patch immediately, block WAN-side management, and verify post-patch configs and admin lists the same day.
GitLab shipped emergency fixes for denial-of-service and authorization bugs affecting self-managed instances. This matters because DevOps platforms hold source, secrets, and deployment keys—so access flaws can become supply-chain incidents. Teams that expose runners and APIs to the internet or lag on upgrades are the most exposed. Watch for bursty API errors at odd hours and new personal access tokens with broad scopes. First step: upgrade now, restrict external API exposure, rotate high-privilege tokens, and review runner registrations.
Attackers published a typosquatted NuGet package mimicking Nethereum and planted code to steal wallet keys. The business risk is direct asset loss from developer workstations and CI systems that pulled the fake dependency. Crypto-adjacent projects and apps with permissive package policies are most exposed. Watch for NuGet restores from never-seen package names and connections to paste or temp-file services. First step: replace the malicious package, pin the legitimate source, quarantine affected hosts, and rotate keys immediately.
Rival hackers reportedly doxxed the Lumma infostealer crew, and activity dipped sharply afterward. That’s useful because a temporary slowdown can reduce credential-stuffing campaigns and initial access sales. Enterprises still face legacy infections and data already harvested, so the risk isn’t gone. Watch for declines in known Lumma command-and-control beacons and the sudden rise of look-alike stealer brands. First step: purge remaining footholds, block known C2s, and rotate exposed credentials while expanding phishing-resistant M F A.
Russia-linked C O L D R I V E R quickly rebuilt its malware after researchers exposed parts of its toolkit. That matters because fast iteration keeps signatures stale and lets phishing and credential theft continue largely undetected. Policy groups, universities, and defense-adjacent teams using single sign-on are especially exposed. Watch for failed M F A after successful password entry and new domains showing up in mail telemetry right before mailbox rules change. First step: enforce phishing-resistant M F A, restrict external OAuth apps, and review consent and tokens this week.
Researchers at Pwn2Own Ireland found dozens of new bugs across phones, routers, N A S devices, and enterprise software. The impact is that tomorrow’s opportunistic exploits often mirror today’s contest chains, especially against unmanaged gear. Small offices and branch sites with “set and forget” devices are most exposed. Watch for vendor advisories referencing Pwn2Own and sudden firmware pushes for routers, N A S, and browsers. First step: inventory event-listed products and patch quickly, or at least lock admin panels to a management V L A N.
New estimates put the broader fallout from the Jaguar Land Rover cyber incident at about two point five billion dollars across the U K economy. That’s important because tightly coupled suppliers can’t easily absorb outages, so one plant problem becomes a network problem. Manufacturers with tier-two and tier-three vendors lacking resilience are most exposed. Watch for spikes in manual work orders and emergency freight spend right after I T incidents. First step: build a supplier-impact playbook and verify offline, immutable backups for plant systems this quarter.
Attackers are abusing OAuth applications and long-lived tokens to persist in cloud tenants even after passwords change. The business risk is quiet access to mail and files via overly broad app scopes that users or admins approved. Midmarket Microsoft Entra I D and Google Workspace tenants with default consent settings are most exposed. Watch for high-scope consents granted outside business hours and silent mailbox access from unfamiliar apps. First step: require admin approval for risky scopes, disable user-led consent, and review enterprise apps and tokens within forty-eight hours.
A global survey says roughly half of organizations have already suffered harm from A I security issues like data leakage and unsafe connectors. That matters because adoption has outpaced guardrails, turning pilot tools into real exposure in months. Regulated teams and anyone handling proprietary data through chat or agents are most exposed. Watch for shadow A I tools and unexplained spikes in A P I usage tied to chatbot accounts. First step: assign a single owner for A I security, publish a minimal control set, and turn on egress and secrets scanning now.
That’s the Bare Metal Cyber Daily Brief for October 23rd, 2025. For more, visit BareM etal Cyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.
