CVE-2025-8941: Critical privilege escalation in Linux-PAM
The CVE-2025-8941 vulnerability affecting the Linux-PAM pam_namespace module was published. The issue allows local users to exploit symbolic links (symlinks) and race conditions to elevate privileges to root. According to the public description, this CVE completes the correction of a previous flaw (CVE-2025-6020).
Successful exploitation compromises the confidentiality, integrity, and availability of the system. The vector is local and low complexity, which increases the risk in multi-user or shared access environments.
The immediate priority is to verify versions and apply updates that address pam_namespace. Maintaining strict local access controls and reviewing the use of namespaces will mitigate the risk until patches are deployed.
LANSCOPE Endpoint Manager: RCE in On-Prem edition with active exploitation
Motex disclosed an RCE vulnerability (CVE-2025-61932, CVSS 9.8) in LANSCOPE Endpoint Manager On-Premise affecting versions up to 9.4.7.1. The cloud service is not affected. Motex confirmed targeted malicious activity and released a fix for customers.
Technical details. The issue resides in the Client Program (MR) and Detection Agent (DA) components. Exploitation would allow arbitrary code execution and complete compromise of endpoints. The patch applies on the client side; the central server does not require an update.
On-premises installations should prioritize deploying the fix and review telemetry for exploitation attempts against MR/DA.
Apache Syncope: RCE via Groovy scripts without sandbox
An RCE (CVE-2025-57738) was reported in Apache Syncope due to the execution of Groovy scripts without sandbox in versions prior to 3.0.14 and 4.0.2. Malicious code can be executed with the privileges of the Syncope Core process.
The flaw was identified by Mike Cole (Mantel Group); the risk arises because delegated administrators with access to Implementations and Reports can load Groovy that accesses dangerous APIs such as Runtime.
Upgrading to the fixed versions and restricting who can upload Groovy implementations reduces the attack surface in IAM deployments.
Oracle E-Business Suite: CISA confirms exploitation of CVE-2025-61884
CISA added CVE-2025-61884 to the KEV catalog, confirming its active exploitation. The campaign stole data from multiple Oracle EBS customers and sought to extort victims; the attacking cluster is allegedly associated with FIN11.
Oracle initially indicated known flaws (July patches) and then a zero-day (CVE-2025-61882). On October 11, it announced fixes for CVE-2025-61884 (remotely exploitable without authentication), and on October 21, CISA marked it as exploited, demanding federal mitigations by November 10.
Updated EBS instances should not be vulnerable according to multiple signatures; organizations should verify their patch status and review possible access to data in EBS.
Ransomware: payments skyrocket to $36 million
Infosecurity Magazine reported that ransomware payments increased, reaching a total of $36 million in the cases analyzed. The headline highlights an upward trend in the amounts paid, reinforcing the economic significance of ransomware. The figure highlights the current financial impact of ransomware and the need to monitor this metric in the coming quarters.
China accuses the US of attacking its National Weather Center
China accused the NSA of carrying out cyberattacks against its National Weather Service Center, warning that damage to such infrastructure could affect communications, finance, and energy. The accusation was made public following a local investigation.
Chinese statements mention the use of multiple cyberattack tools and service exploitation to access the center’s personnel and systems; the information was released without any technical evidence being presented publicly. International media also reported on the accusation.
The incident adds tension to the geopolitical landscape and underscores the critical nature of national time synchronization services.
GlassWorm, The self-propagating worm in OpenVSX with invisible code
KOI reported GlassWorm, described as the first self-propagating worm that uses “invisible code” and impacts the OpenVSX Marketplace. The malware steals credentials (NPM, GitHub, Git), targets 49 crypto wallet extensions, lifts SOCKS proxies, and installs hidden VNC for remote control.
GlassWorm uses stolen credentials to compromise packages and extensions, expanding the supply chain and moving laterally to other developments.
The vector on development environments and marketplaces requires reviewing dependencies and credentials of developers exposed to OpenVSX.
Windows Server (WSUS): Critical vulnerability exploited in the wild
Active exploitation of CVE-2025-59287 in Windows Server Update Services (WSUS) has been confirmed. The flaw allows unauthenticated RCE via insecure deserialization; public PoC exists and Microsoft has issued an out-of-band update.
A remote attacker can send a manipulated event that triggers insecure deserialization and execute code with SYSTEM privileges; the technical disclosure and PoC were published on October 18.
Environments with WSUS roles should immediately apply the patches released by Microsoft and check for indicators of exploitation.
