Back to Blog

Cyber Threat Intelligence - Week 48, 2025

ScanFortress Security
novembre 27, 2025
Updated novembre 27, 2025
Cyber Threat Intelligence Cybersecurity Security News Weekly Report
Cyber Threat Intelligence - Week 48, 2025

🛡️ ScanFortress Weekly Threat Intelligence Report

Week 48, 2025 | November 20-27, 2025

📊 Executive Summary

Week 48 of 2025 has been marked by a significant escalation in both the sophistication and speed of cyber threats. The most alarming development is the emergence of AI-accelerated exploitation, effectively ending the traditional "patching window" that organizations have relied upon for decades. Zero-day vulnerabilities in Fortinet and Chrome, combined with active exploitation of critical flaws in Oracle Identity Manager and Microsoft WSUS, demonstrate that threat actors are moving faster than ever before.

This week also highlighted the growing convergence of cybercriminal groups, with the RomCom threat actor leveraging SocGholish infrastructure—marking the first documented instance of such collaboration. Supply chain attacks continue to dominate, exemplified by the Qilin ransomware group's breach of a South Korean MSP that cascaded into 28 separate victim organizations. Web-based threats remain prevalent, with fake update campaigns, malicious browser extensions, and social engineering attacks targeting users across multiple platforms.

For website operators, the key takeaway is clear: proactive security scanning and continuous monitoring are no longer optional. With attackers exploiting SSL/TLS misconfigurations, weak security headers, and DNS vulnerabilities at unprecedented speed, organizations must shift from reactive patching to continuous security validation.

🚨 Critical Vulnerabilities & Threats

⚠️ 1. Zero-Day Exploits in Fortinet and Chrome

Severity: CRITICAL

Multiple zero-day vulnerabilities were discovered and actively exploited in Fortinet products and Google Chrome this week. These vulnerabilities allow attackers to gain unauthorized access to systems and execute arbitrary code. The rapid weaponization of these flaws—reportedly within hours using AI-assisted exploit development—represents a paradigm shift in threat velocity.

ScanFortress Detection: While our platform cannot directly detect browser vulnerabilities, we can identify weak SSL/TLS configurations and missing security headers that would help mitigate the impact of browser-based attacks. Regular scanning ensures your website implements proper Content Security Policy (CSP) headers that can prevent malicious script injection.

⚠️ 2. Oracle Identity Manager CVE-2025-61757 (CVSS 9.8)

Severity: CRITICAL | Status: ACTIVELY EXPLOITED

CISA added this critical authentication bypass vulnerability to its Known Exploited Vulnerabilities catalog. The flaw allows pre-authenticated remote code execution on Oracle Identity Manager systems, affecting organizations' core identity and access management infrastructure.

Web Security Impact: Organizations using Oracle Identity Manager for web application authentication must patch immediately. This vulnerability can lead to complete compromise of web application access controls.

⚠️ 3. Microsoft WSUS Exploitation (CVE-2025-59287) - ShadowPad Distribution

Severity: HIGH | Status: ACTIVE EXPLOITATION

Threat actors are exploiting a recently patched vulnerability in Windows Server Update Services (WSUS) to distribute ShadowPad malware. Attackers target Windows Servers with WSUS enabled, using the vulnerability for initial access before deploying PowerCat and other tools for lateral movement.

Infrastructure Risk: Web servers running on Windows infrastructure with WSUS enabled are at risk. This highlights the importance of proper server hardening and network segmentation.

⚠️ 4. NTLM Relay Attacks - Legacy Protocol Abuse

Severity: HIGH | Status: ONGOING

Kaspersky's research reveals continued exploitation of NTLM vulnerabilities throughout 2025, including relay attacks and credential forwarding. Despite being legacy technology, NTLM remains widely deployed and actively targeted.

Web Application Impact: Web applications using Windows Integrated Authentication or NTLM for single sign-on are vulnerable to these attacks. Organizations should audit authentication mechanisms and migrate to modern protocols.

⚠️ 5. Grafana SCIM Vulnerability CVE-2025-41115 (CVSS 10.0)

Severity: CRITICAL

A maximum severity flaw in Grafana's System for Cross-domain Identity Management (SCIM) component allows privilege escalation and user impersonation. This affects organizations using Grafana for monitoring dashboards and analytics.

ScanFortress Relevance: Many organizations expose Grafana dashboards via web interfaces. Our DNS and SSL/TLS scanning can identify exposed Grafana instances that may be vulnerable.

🔍 Threats Detectable by ScanFortress

Our automated security scanning platform can help identify and prevent several attack vectors highlighted in this week's threat intelligence:

🛡️ How ScanFortress Protects Your Website

  • 🔒 SSL/TLS Certificate Validation: Detects expired, misconfigured, or weak SSL/TLS implementations that could be exploited in man-in-the-middle attacks. This week's NTLM relay attacks often leverage weak TLS configurations for credential interception.
  • 🌐 DNS Configuration Analysis: Identifies DNS misconfigurations, missing security records (CAA, DNSSEC), and potential DNS hijacking vulnerabilities. Critical for preventing the supply chain attacks seen in the Qilin/South Korean MSP breach.
  • 📋 Security Headers Verification: Validates implementation of critical security headers including:
    • Content Security Policy (CSP): Prevents malicious script injection from browser-based attacks like the Chrome zero-day exploits
    • HTTP Strict Transport Security (HSTS): Protects against protocol downgrade attacks used in NTLM relay scenarios
    • X-Frame-Options: Prevents clickjacking attacks common in social engineering campaigns
    • X-Content-Type-Options: Mitigates MIME-type confusion attacks
    • Referrer-Policy: Prevents information leakage that could aid reconnaissance
  • 🍪 Cookie Security Analysis: Identifies insecure cookie configurations (missing Secure, HttpOnly, SameSite flags) that could be exploited for session hijacking—particularly relevant given this week's focus on authentication bypass vulnerabilities.
  • 🔓 Exposed Services Detection: Discovers publicly accessible admin panels, development interfaces, and monitoring dashboards (like Grafana) that should not be internet-facing.
  • ⚡ Common Web Vulnerability Detection: Scans for outdated software versions, known vulnerable components, and misconfigurations that could provide initial access points for attackers.

🎯 Don't Wait for a Breach!

With threat actors moving from vulnerability disclosure to active exploitation in mere hours, regular security scanning is essential. ScanFortress provides automated, continuous monitoring to ensure your website's security posture remains strong.

Start your free security scan today and discover vulnerabilities before attackers do.

📈 Industry Trends & Analysis

🤖 The AI-Accelerated Threat Landscape

This week's most significant trend is the collapse of the traditional exploit window. Qualys' analysis reveals that AI-assisted exploit development has reduced weaponization time from days or weeks to mere hours. This "Zero-Day Zero" phenomenon means organizations can no longer rely on the buffer period between vulnerability disclosure and active exploitation. The implications are profound: continuous security validation and automated scanning are now mandatory, not optional.

🔗 Supply Chain Attack Convergence

The Qilin ransomware group's breach of a South Korean MSP, resulting in 28 compromised organizations, exemplifies the multiplier effect of supply chain attacks. Similarly, the SocGholish infrastructure being leveraged by RomCom demonstrates increasing collaboration and resource-sharing among threat actors. Organizations must assess third-party risk and implement defense-in-depth strategies that assume compromise at any level of the supply chain.

🎭 Social Engineering Evolution

Multiple campaigns this week employed sophisticated social engineering tactics:

  • Fake job recruitment sites targeting macOS users (FlexibleFerret malware)
  • Fake game releases exploiting Battlefield 6 hype to distribute stealers
  • Fake update prompts on compromised adult websites (SocGholish/JackFix campaigns)
  • Malicious browser extensions masquerading as crypto trading tools

These attacks bypass traditional perimeter security by targeting the human element. Security awareness training combined with technical controls (like CSP headers to prevent malicious script execution) provides the best defense.

🏛️ Legacy Technology as Attack Vector

Kaspersky's comprehensive report on NTLM abuse in 2025 highlights a persistent problem: legacy protocols and technologies remain widely deployed and actively exploited. Similar issues affect other "old tech" like unpatched WSUS servers, outdated Android TV boxes being recruited into botnets, and aging web application authentication mechanisms. Organizations must prioritize technical debt remediation and protocol modernization.

🌍 Geopolitical Cyber Activity

State-sponsored activity remains prominent:

  • North Korean actors (Contagious Interview, potential Moonstone Sleet involvement) continue fake recruitment campaigns
  • Chinese APT groups (APT24, ToddyCat) conduct long-term espionage targeting Taiwan and corporate email systems
  • Russian-aligned groups (RomCom) target organizations with Ukrainian ties

The line between state-sponsored and cybercriminal activity continues to blur, with shared tools, infrastructure, and techniques across both categories.

💰 Black Friday Cybercrime Surge

Kaspersky's Black Friday threat report documents the annual surge in e-commerce-focused attacks, including phishing campaigns, fake shopping sites, and malware distribution disguised as deals. For website operators, this seasonal pattern demands heightened security vigilance during high-traffic periods, including additional monitoring for malicious scripts, payment skimming attempts, and credential stuffing attacks.

✅ Recommendations & Best Practices

🚀 Immediate Actions

  • Patch Critical Vulnerabilities: Prioritize Oracle Identity Manager (CVE-2025-61757), Microsoft WSUS (CVE-2025-59287), and Grafana (CVE-2025-41115) if applicable to your environment
  • Update Browsers and Web Frameworks: Ensure Chrome, Fortinet products, and all web-facing applications are running the latest patched versions
  • Scan Your Websites: Run immediate security scans using ScanFortress to identify SSL/TLS issues, missing security headers, and configuration weaknesses
  • Review Authentication Mechanisms: Audit web applications still using NTLM or legacy authentication protocols and plan migration to modern alternatives
  • Verify Security Headers: Ensure all web properties implement comprehensive security headers, particularly CSP to mitigate script injection attacks

🛡️ Strategic Security Improvements

  • Implement Continuous Scanning: Shift from periodic assessments to continuous security monitoring. With AI-accelerated threats, weekly or monthly scans are insufficient
  • Adopt Defense-in-Depth: Layer multiple security controls including WAF, proper security headers, certificate pinning, and network segmentation
  • Strengthen SSL/TLS Configuration: Disable weak ciphers, enforce TLS 1.3 where possible, implement HSTS with preloading, and maintain valid certificates
  • Enhance DNS Security: Implement DNSSEC, configure CAA records to prevent unauthorized certificate issuance, and monitor for DNS hijacking attempts
  • Review Third-Party Dependencies: Audit all third-party services, APIs, and integrations for security posture. The MSP breach demonstrates supply chain risk
  • Implement Cookie Security Best Practices: Ensure all cookies use Secure, HttpOnly, and SameSite attributes appropriately

👥 Organizational & Process Improvements

  • Accelerate Patch Management: Reduce time-to-patch to hours, not days. The traditional patch cycle is too slow for the current threat landscape
  • Conduct Security Awareness Training: Educate staff about fake update prompts, malicious browser extensions, and social engineering tactics seen this week
  • Establish Incident Response Procedures: Ensure clear protocols for responding to zero-day announcements and active exploitation
  • Monitor Threat Intelligence: Subscribe to vendor security advisories and threat intelligence feeds relevant to your technology stack
  • Test Backup and Recovery: With ransomware groups like Qilin conducting supply chain attacks, verified backups are essential

🔍 Website-Specific Hardening

  • Content Security Policy (CSP): Implement strict CSP headers to prevent unauthorized script execution. Start with

    Featured image: Photo by Unsplash

Text Size
× Expanded view