Today’s roundup
How an Attacker Drained $128M from Balancer Through Rounding Error Exploitation
Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
U.S. CISA adds Gladinet CentreStack, and CWP Control Web Panel flaws to its Known Exploited Vulnerabilities catalog
Google fixed a critical remote code execution in Android
Malicious Android apps on Google Play downloaded 42 million times
Russian hackers abuse Hyper-V to hide malware in Linux VMs
Microsoft Teams Bugs Let Attackers Impersonate Colleagues and Edit Messages Unnoticed
Polish loan platform hacked; mobile payment system and other businesses disrupted
Data breach at major Swedish software supplier impacts 1.5 million
Summary
On November 3, 2025, Balancer V2’s ComposableStablePool contracts were exploited, resulting in a loss of $128.64 million across six blockchain networks within 30 minutes. Check Point Research detailed that the sophisticated attack leveraged an arithmetic precision loss, or rounding error, in the _upscaleArray function during batchSwap operations. The attacker employed a three-stage swap sequence executed 65 times within a single transaction, artificially suppressing Balancer Pool Token (BPT) prices and extracting value through repeated arbitrage cycles. The exploit contract was deployed with a constructor that automatically performed the manipulation, accumulating stolen funds in its internal balance before transferring them to a recipient address.
A critical, now-patched security flaw in the popular @react-native-community/cli npm package has been disclosed, potentially exposing millions of developers to remote attacks. The vulnerability allowed remote unauthenticated attackers to execute arbitrary operating system (OS) commands under specific conditions on machines running the react-native-community/cli's packager. This flaw posed a significant supply chain risk for mobile application development.
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin, used on over 400,000 WordPress sites. The exploit allows attackers to hijack administrator accounts, gaining complete control over affected websites. Users are urged to update the plugin immediately to mitigate this severe risk.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws, CVE-2025-11371 in Gladinet CentreStack/Triofox and CVE-2025-48703 in Control Web Panel (CWP), to its Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities are under active exploitation. CVE-2025-11371 is a local file inclusion flaw being exploited as a zero-day to access system files without authentication. CVE-2025-48703 is an OS command injection flaw allowing remote pre-authenticated arbitrary command execution by an attacker knowing a valid username. CISA has mandated federal agencies to patch these flaws by November 25, 2025.
Google's November 2025 Android security updates include fixes for two vulnerabilities in the core System component, most notably CVE-2025-48593. This critical remote code execution (RCE) flaw requires no additional execution privileges or user interaction for exploitation and impacts Android versions 13, 14, 15, and 16. Google stated it is not aware of in-the-wild exploitation of these specific vulnerabilities at the time of the bulletin.
A report from cloud security company Zscaler indicates that hundreds of malicious Android applications were downloaded over 42 million times from Google Play between June 2024 and May 2025. These apps posed significant security risks to users, highlighting a persistent challenge in app store security and the scale of malware distribution on mobile platforms.
The Russian hacker group Curly COMrades is employing a novel technique to evade endpoint detection and response (EDR) solutions by abusing Microsoft Hyper-V in Windows. The group creates hidden Alpine Linux-based virtual machines within Windows environments to execute malware, allowing them to operate stealthily and bypass traditional security monitoring.
Cybersecurity researchers at Check Point have disclosed details of four security flaws in Microsoft Teams that enabled serious impersonation and social engineering attacks. These vulnerabilities could have allowed attackers to manipulate conversations, impersonate colleagues, and exploit notification systems within the widely used communication platform. Microsoft was responsibly disclosed the flaws in March 2025 and has since addressed them.
Poland's Digital Affairs Minister, Krzysztof Gawkowski, reported that cyberattacks targeting the country’s public and private infrastructure are becoming increasingly frequent. Recent incidents include the hacking of a Polish loan platform and disruptions to mobile payment systems and other businesses. These attacks underscore an escalating cyber threat landscape for critical services in Poland.
The Swedish Authority for Privacy Protection (IMY) is investigating a significant cyberattack on IT systems supplier Miljödata, which resulted in the exposure of personal data belonging to 1.5 million individuals. The incident highlights the vulnerability of software supply chain entities and the broad impact potential data breaches can have on a country's population.
Want to dig deeper?
Vulnerabilities
Cyber Groups