News of The Week October 10th

News of the Week: Storm of vulnerabilities

In the news of the week ending October 10, 2025, are five major providers affected by critical failures this week.

Cisco ASA/FTD 0-Day exploited to bypass authentication

A critical zero-day exploit chain has been identified that affects Cisco ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense) software, targeting its WebVPN module, allowing authentication bypass (CVE-2025-20362) followed by a buffer overflow (CVE-2025-20333) to achieve remote execution without authentication.

Cisco has already released patches (e.g., ASAv 9.16.4.85), and administrators are advised to apply the updates immediately, especially if they have the clientless VPN portal enabled.

Critical RCE in Redis (CVE-2025-49844)

Wiz Research discovered a remote code execution (RCE) vulnerability in Redis, called RediShell, which originates from a bug that has existed for about 13 years in the handling of Lua scripts. With a CVSS of 10.0, the flaw allows escaping the Lua sandbox and executing native code on the host.

Since Redis is used in approximately 75% of cloud environments, many instances are at risk, especially those that are publicly exposed or unauthenticated. Organizations are urged to patch immediately and as a priority.

Oracle releases urgent patch for CVE-2025-61882 following Cl0p attacks

Oracle has issued an emergency patch for a critical vulnerability in its E-Business Suite (CVE-2025-61882, with a CVSS score of 9.8) that is already being exploited by the Cl0p group for data theft. The flaw allows an unauthenticated attacker to compromise the Concurrent Processing component via HTTP. The company urged organizations to review possible previous compromises, as it could have been used before the patch.

Extortion against Salesforce after theft of data from dozens of customers

A group calling itself Scattered LAPSUS$ Hunters claims to have stolen large volumes of data from dozens of companies using Salesforce instances and is demanding ransoms, citing up to 1 billion stolen records.

Salesforce states that it has not detected any recent intrusions into its platform and that the extortion attempts are linked to past or unconfirmed incidents. However, the attackers are also threatening to use existing legal litigation to put pressure on the provider.

GitHub Copilot Chat flaw leaks data from private repositories

A vulnerability has been discovered in Copilot Chat that combines Content Security Policy bypass and prompt injection: it allows AWS keys and zero-day vulnerabilities to be leaked and controls the responses received by the user.

The attacker can insert hidden comments that are not displayed but alter the context of the chat and extract data encoded via URL, exploiting the way Copilot handles commented HTML requests. GitHub has already disabled the use of Camo for these leaks.

Shadow IT in Generative AI: Employees Leak Secrets to ChatGPT

Users are copying confidential information from their companies into AI tools such as ChatGPT, creating risks of deliberate or accidental leaks. It is clear that the ease of use and informal integration of these services create a significant internal leak vector that many organizations still do not adequately regulate.

BreachForums domain linked to Scattered Lapsus$ Hunters seized

Authorities have seized the BreachForums domain, associated with the Scattered LAPSUS$ Hunters group, which has been active in extortion and data theft campaigns. This move could temporarily hinder the group’s public operations, but it does not guarantee the interruption of its activities, which could migrate to other domains or clandestine networks.

Emanuelle Jimenez