Vulnerabilities
-
Critical command injection flaw found in W3 Total Cache WordPress plugin
A critical unauthenticated command injection in the W3 Total Cache WordPress plugin (CVE-2025-9501) can allow PHP code execution via a malicious comment. The developer issued a patch in version 2.8.13 on Oct. 20, but hundreds of thousands of sites may still be unpatched; WPScan plans to publish a proof-of-concept on Nov. 24.
-
Active exploitation reported for 7‑Zip ZIP symbolic link vulnerability
NHS England Digital warned that CVE-2025-11001, a 7‑Zip vulnerability affecting symbolic link handling and allowing remote code execution, is being actively exploited; 7‑Zip 25.00 released in July 2025 contains fixes and users are urged to update.
-
China-linked PlushDaemon hijacks software updates with new EdgeStepper implant, ESET says
ESET researchers say a China-linked group called PlushDaemon is hijacking software-update traffic using an EdgeStepper network implant that redirects update domains to attacker servers and delivers a chain of malware including LittleDaemon, DaemonicLogistics and the SlowStepper backdoor.
-
Researchers report WhatsApp-based worm distributing Delphi banking trojan in Brazil
Trustwave SpiderLabs reported a WhatsApp-propagated campaign in Brazil that uses a Python-based worm and an MSI installer to deploy the Delphi credential stealer Eternidade, which retrieves C2 addresses via IMAP and targets banking and crypto apps.
-
Fortinet warns of FortiWeb OS command injection flaw CVE-2025-58034 exploited in the wild
Fortinet warned that CVE-2025-58034, a medium-severity OS command injection in FortiWeb with a CVSS score of 6.7, has been exploited in the wild; patches are available in specific FortiWeb releases and the company credited a Trend Micro researcher for the report.
-
Self‑replicating botnet abuses Ray clusters to mine cryptocurrency, steal data and launch DDoS attacks
Researchers say a campaign called ShadowRay 2.0 has been exploiting internet‑facing Ray clusters using CVE‑2023‑48022 and Ray’s orchestration features to spread a self‑replicating botnet that mines cryptocurrency, steals proprietary data and launches DDoS attacks, with attackers targeting large GPU environments and using automated discovery and multi‑stage payloads.
-
Meta gives researchers a WhatsApp Research Proxy and tightens anti-scraping protections
Meta has given selected bug bounty researchers access to a WhatsApp Research Proxy and launched a pilot to study platform abuse, while adding anti‑scraping protections after a public report showed how contact discovery could be abused to enumerate accounts at scale. Meta also patched a Unity‑related vulnerability affecting Quest devices and said it has paid…
-
Google issues Chrome security update for actively exploited V8 bug
Google released Chrome updates to fix two V8 type confusion vulnerabilities, including CVE-2025-13223 which is being actively exploited; users should update to the listed Chrome versions and other Chromium-based browser vendors should apply fixes when available.
-
Malicious npm packages use Adspect redirects and fingerprinting to cloak crypto scams
Seven npm packages published under the name ‘dino_reborn’ used Adspect redirects and browser fingerprinting to route real visitors to fake cryptocurrency CAPTCHA scams while showing decoys to likely researchers, Socket researchers found.
-
Microsoft: Aisuru botnet launched 15.72 Tbps DDoS attack against Azure
Microsoft said the Aisuru botnet launched a 15.72 Tbps UDP flood against a public Azure IP in Australia from over 500,000 IPs, reaching nearly 3.64 billion packets per second; researchers and firms including Qi’anxin and Cloudflare have linked Aisuru to multiple large-scale DDoS campaigns that exploit vulnerable IoT devices and routers.
