Vendors
-
Researchers: Actors abused Triofox antivirus feature to execute code as SYSTEM
Researchers say the UNC6485 cluster exploited CVE-2025-12480 in Gladinet Triofox by spoofing a localhost host header to bypass authentication, then abused the product’s antivirus configuration to run a malicious payload as SYSTEM; vendors have released patches and investigators provided indicators of compromise.
-
Swedish privacy authority opens probe after Miljödata cyberattack that exposed up to 1.5 million people
Sweden’s privacy authority is investigating a cyberattack on Miljödata that exposed data tied to up to 1.5 million people. The breach disrupted municipal services, was posted on the dark web by the Datacarry group, and appears in Have I Been Pwned with roughly 870,000 affected records; IMY has prioritised probes of Miljödata and several municipalities.
-
Nikkei says Slack breach exposed personal information of more than 17,000 users
Nikkei said a Slack compromise exposed names, email addresses and chat histories for 17,368 people after attackers used credentials stolen from a malware-infected employee computer; the publisher voluntarily notified Japan’s data protection regulator and said no source-related material was affected.
-
Critical authentication bypass in JobMonster WordPress theme exploited, users urged to patch
A critical authentication bypass (CVE-2025-5397) in the JobMonster WordPress theme is being actively targeted; Wordfence blocked multiple attempts. The flaw affects versions up to 4.8.1, requires social login to be enabled, and was fixed in version 4.8.2. Administrators should update or disable social login and enable two-factor authentication.
-
Google AI agent Big Sleep credited with finding five WebKit bugs in Safari; Apple issues patches
Apple credited Google’s AI agent Big Sleep with finding five WebKit vulnerabilities affecting Safari that could cause crashes or memory corruption; Apple issued patches in iOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1 and urged users to update.
-
Microsoft finds SesameOp backdoor that uses OpenAI Assistants API for C2
Microsoft’s DART reported discovery of a custom .NET backdoor called SesameOp that uses the OpenAI Assistants API as a covert command-and-control channel; Microsoft shared its findings with OpenAI, which disabled a suspected API key, and the victim remains unnamed.
-
Cybercriminals use RMM tools to target trucking firms, steal freight: Proofpoint
Proofpoint researchers say cybercriminals are compromising trucking and logistics firms with legitimate remote monitoring and management tools to harvest credentials, gain persistent access and fraudulently bid on or divert real shipments, with food and beverage cargo a frequent target.
-
Australia warns of ongoing BADCANDY attacks on unpatched Cisco IOS XE devices
The Australian Signals Directorate warned of ongoing attacks using a Lua-based web shell called BADCANDY that exploits CVE-2023-20198 in unpatched Cisco IOS XE devices, estimated to have affected about 400 devices in Australia since July 2025 and urging patching and hardening measures.
-
CISA adds VMware local privilege‑escalation zero-day to Known Exploited Vulnerabilities catalog
CISA added CVE-2025-41244, a high-severity VMware local privilege‑escalation flaw, to its Known Exploited Vulnerabilities catalog after reports of active exploitation. Broadcom-owned VMware has issued a patch, NVISO Labs reported zero-day use since October 2024, and federal agencies must apply mitigations by Nov. 20, 2025.
-
Ribbon Communications says nation-state hackers breached its network; initial access traced to December 2024
Ribbon Communications disclosed a nation-state-associated breach of its IT network, detected in September 2025 with preliminary evidence of initial access in December 2024. The company is working with outside cybersecurity experts and federal law enforcement, has found customer files on two laptops outside its main network, and said it has not found evidence of theft…
