Today’s roundup
Patch Tuesday, October 2025 ‘End of 10’ Edition
Unencrypted satellites expose global communications
Flax Typhoon APT exploited ArcGIS server for over a year as a backdoor
Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group
Researchers warn of widespread RDP attacks by 100K-node botnet
Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control
SAP fixed maximum-severity bug in NetWeaver
Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access
Oracles silently fixes zero-day exploit leaked by ShinyHunters
How Attackers Bypass Synced Passkeys
Summary
Microsoft's October 2025 Patch Tuesday addressed 172 flaws, including three actively exploited zero-days: CVE-2025-24990 (Agere Modem driver, removed) and CVE-2025-59230 (RasMan EoP). Critical RCEs in Office and WSUS were also patched. Windows 10 and Exchange Server 2016/2019 officially reached end-of-life.
Researchers from UC San Diego and University of Maryland found nearly half of geostationary satellites transmit unencrypted data, exposing military, corporate, and personal communications. An $800 receiver intercepted T-Mobile calls, in-flight Wi-Fi, and critical infrastructure data, highlighting widespread vulnerabilities.
China-linked APT Flax Typhoon exploited an ArcGIS system for over a year as a backdoor. They used a Java SOE web shell, embedded in backups, with a fake VPN tool and Windows service for persistent encrypted tunnels, network mapping, and credential theft.
Harvard University confirmed an Oracle E-Business Suite cyberattack by Cl0p ransomware, resulting in a 1.3 TB data leak. The breach, involving CVE-2025-61882 (CVSS 9.8) and possibly other zero-days, was linked to FIN11, a Cl0p affiliate.
GreyNoise identified a 100,000+ IP botnet from over 100 countries actively targeting U.S. Remote Desktop Protocol (RDP) services since October 8. It utilizes RD Web Access timing and RDP web client login enumeration, with coordinated activity suggesting centralized control.
Two critical CVSS 10.0 vulnerabilities, CVE-2023-40151 and CVE-2023-42770, were found in Red Lion Sixnet RTU products. These allow unauthenticated remote code execution with maximum privileges, threatening industrial control systems.
SAP patched a maximum-severity bug, CVE-2025-42944 (CVSS 10.0), in NetWeaver AS Java, enabling unauthenticated RCE via insecure deserialization. Other critical flaws included a Directory Traversal (CVE-2025-42937, CVSS 9.8) and an Unrestricted File Upload (CVE-2025-42910, CVSS 9.0).
A critical, actively exploited flaw, CVE-2025-2611 (CVSS 9.3), affects ICTBroadcast autodialer software. Improper input validation allows unauthenticated remote code execution via a cookie exploit, giving attackers remote shell access.
Oracle silently patched CVE-2025-61884, an actively exploited zero-day in its E-Business Suite (12.2.3-12.2.14). The ShinyHunters group publicly leaked its PoC, confirming its use in server breaches for unauthenticated data access.
New research warns synced passkeys are insecure, inheriting risks from cloud accounts. AiTM attacks can force authentication fallbacks, bypassing intended strong security, emphasizing careful evaluation of passkey implementations to mitigate enterprise exposure.
Want to dig deeper?
Vulnerabilities
Cyber Groups