Vendors
-
Mass attacks exploit outdated GutenKit and Hunk Companion WordPress plugins
A mass exploitation campaign is targeting WordPress sites running outdated GutenKit and Hunk Companion plugins, leveraging three critical vulnerabilities that can lead to remote code execution; Wordfence said it blocked 8.7 million attack attempts over two days and urged administrators to update plugins and check for indicators of compromise.
-
Microsoft issues out-of-band fix for WSUS vulnerability CVE-2025-59287
Microsoft released an out-of-band cumulative update to address CVE-2025-59287, a critical WSUS deserialization vulnerability being exploited in the wild; admins should apply the patch or disable WSUS/block ports 8530 and 8531 until systems can be rebooted after updating.
-
Toys “R” Us Canada notifies customers after customer records leaked
Toys “R” Us Canada told customers a threat actor posted stolen customer records on the unindexed internet on July 30, 2025. Third-party investigators confirmed the data’s authenticity, which may include names, addresses, emails and phone numbers; passwords and payment data were not exposed. The company said it has upgraded security and is notifying regulators, and…
-
Former L3Harris cyber executive charged with selling trade secrets to Russia
Federal prosecutors say Peter Williams, a former Trenchant general manager, misappropriated eight trade secrets and sold them to an undisclosed buyer in Russia, allegedly earning about $1.3 million; prosecutors seek forfeiture of multiple assets and an arraignment is set for Oct. 29.
-
Researchers warn spoofed AI sidebars can trick Atlas and Comet users into dangerous actions
Security researchers at SquareX say they can use a malicious browser extension to overlay a fake AI sidebar in Atlas and Comet, tricking users into phishing pages, OAuth theft of Gmail/Drive access, or running commands that install a reverse shell.
-
CISA Adds Critical Lanscope Endpoint Manager Flaw to KEV Catalog
CISA added CVE-2025-61932, a critical arbitrary-code vulnerability in Motex Lanscope Endpoint Manager, to its Known Exploited Vulnerabilities catalog and said it is being actively exploited; Motex has released patched versions and agencies are advised to remediate by Nov. 12, 2025.
-
BIND flaws could enable DNS cache poisoning; patches issued
BIND developers warned of two vulnerabilities, CVE-2025-40778 and CVE-2025-40780, that can enable DNS cache poisoning by allowing forged responses to be accepted; patches were released and operators are urged to apply them.
-
Hackers exploit critical SessionReaper flaw in Adobe Commerce, Sansec says
E-commerce security firm Sansec reported active exploitation of the critical SessionReaper flaw (CVE-2025-54236) in Adobe Commerce, blocking over 250 attempts and warning that a majority of stores remain unpatched.
-
Meta launches new anti-scam tools for WhatsApp and Messenger
Meta introduced new scam-detection features for Messenger and warnings for WhatsApp to help users spot and avoid scams, said the company, and reported disabling nearly 8 million accounts linked to scam centers while removing more than 21,000 impersonating Pages and accounts.
-
High-severity parsing flaw in async-tar and forks could enable file overwrite and RCE
A boundary parsing flaw in async-tar and forks including tokio-tar, tracked as CVE-2025-62518 and dubbed TARmageddon, can allow nested TARs to be treated as outer entries and be used to overwrite files and enable remote code execution; users are advised to migrate to astral-tokio-tar v0.5.6.
