Vendors
-
SimonMed says 1.2 million patients impacted in January data breach
SimonMed Imaging said more than 1.2 million people were affected by a data breach that gave attackers access to its network from Jan. 21 to Feb. 5; Medusa ransomware claimed the theft and the company said it found no evidence of misuse as of Oct. 10.
-
Netherlands places Nexperia under special administrative measures over governance concerns
The Netherlands has placed Chinese-owned Nexperia under special administrative measures under the Goods Availability Act, citing governance failures and risks to European chip capabilities; the company’s owner Wingtech has disputed the move and said it will effectively freeze operations.
-
Microsoft tightens Edge’s Internet Explorer mode after reports of exploit chain
Microsoft said it has tightened Internet Explorer mode in Edge after reports that attackers used social engineering and unpatched Chakra 0-day exploits to gain remote code execution and escalate privileges, and the company removed easier IE mode launch options and now requires explicit enabling.
-
Astaroth banking trojan leverages GitHub to restore command-and-control, McAfee says
McAfee Labs reported that the Astaroth banking trojan campaign uses GitHub-hosted images with steganography to update configurations and maintain access after C2 takedowns; the campaign targets Brazil and other Latin American countries and is delivered via DocuSign-themed phishing emails.
-
Unauthenticated flaw in Gladinet CentreStack and Triofox (CVE-2025-11371) exploited in the wild
Security researchers say CVE-2025-11371, an unauthenticated local file inclusion in Gladinet CentreStack and Triofox, is being exploited in the wild; Huntress recommends removing a handler from the UploadDownloadProxy Web.config as a temporary mitigation while Gladinet prepares a patch.
-
Microsoft: Storm-2657 Used Phishing to Redirect University Payrolls via Workday Accounts
Microsoft said a gang known as Storm-2657 has used phishing and adversary-in-the-middle links to steal MFA and compromise university Workday-linked accounts since March 2025, altering payroll configurations to redirect salary payments and spreading further phishing inside and across campuses.
-
SonicWall says unauthorized party accessed cloud firewall backup files
SonicWall said an unauthorized party accessed firewall configuration backup files stored in its cloud for all customers who used the cloud backup service; the files contain encrypted credentials and the company is urging users to check accounts and follow containment and remediation guidance.
-
Attackers exploiting critical auth-bypass flaw in Service Finder WordPress theme
Security researchers at Wordfence say attackers are actively exploiting CVE-2025-5947, a critical authentication-bypass flaw in the Service Finder WordPress theme that can give attackers administrator access; a patch was released in version 6.1 and administrators are urged to update or stop using the theme.
-
Patched command injection in Figma MCP server could allow remote code execution, researchers say
A command injection bug in the figma-developer-mcp Model Context Protocol server, tracked as CVE-2025-53967 and scored 7.5, could allow remote code execution by interpolating unvalidated input into shell commands; the issue was fixed in version 0.6.3 and researchers recommend avoiding child_process.exec with untrusted data.
-
Microsoft links Storm-1175 to zero-day exploitation of GoAnywhere MFT
Microsoft said the criminal group Storm-1175 exploited a zero-day in Fortra’s GoAnywhere MFT to gain remote code execution, deploy monitoring tools, steal data with Rclone and install Medusa ransomware, with activity observed as early as Sept. 11; CISA and other researchers have also reported active exploitation.
