Cyber Threat Bulletin (20–26 October 2025)

Reading Time: 4 minutes

The week of 20–26 October 2025 witnessed a series of critical cybersecurity incidents and active exploitation campaigns that underscore the evolving threat landscape. Organizations across industries continue to face attacks exploiting unpatched vulnerabilities, sophisticated phishing lures, and supply chain compromises. Below is a summary of the most significant developments impacting enterprises globally.

1. Critical Vulnerabilities Rock Major Platforms

GitLab released emergency patches (versions 18.5.1, 18.4.3, and 18.3.5) addressing seven vulnerabilities, three of which could trigger denial-of-service (DoS) conditions and one rated as high-severity (CVSS 8.5) affecting API access controls. While no active exploitation has been confirmed, the flaws could allow unauthorized access and service disruptions. Administrators are urged to apply updates immediately and monitor for anomalous API activity.

Meanwhile, a critical remote code execution (RCE) flaw in Microsoft WSUS (CVE-2025-59287) was confirmed to be actively exploited just hours after patch release. The vulnerability allows unauthenticated attackers to execute code as SYSTEM, enabling potential distribution of malicious updates through corporate networks. With over 8,000 WSUS servers exposed online, CISA has mandated patching by November 14, 2025.

Another alarming vulnerability emerged in LANSCOPE Endpoint Manager (CVE-2025-61932), which enables remote code execution through malicious network packets. The flaw affects on-premise editions up to version 9.4.7.1 and has already been exploited in the wild. Motex has released updates via its customer portal, urging immediate patch deployment.

2. Widespread Attack Campaigns and Data Breaches

Retail giant Toys “R” Us Canada confirmed a data breach that exposed customer details including names, emails, and addresses. While payment data was not compromised, stolen information appeared on the dark web, potentially fueling phishing and identity fraud. The company has enhanced its cybersecurity framework and offered credit monitoring for affected customers.

In parallel, threat actors targeted Azure Blob Storage accounts using stolen credentials from previous phishing campaigns and malware such as SharkStealer. Attackers exfiltrated configuration files, backups, and code repositories by abusing misconfigured access tokens. Microsoft has urged organizations to enforce strict access controls, enable multi-factor authentication (MFA), and audit storage policies regularly.

Adobe Commerce (Magento) also faced renewed exploitation as hackers leveraged a flaw dubbed SessionReaper (CVE-2025-54236) to compromise over 250 online stores within 24 hours. Attackers uploaded malicious PHP webshells and hijacked customer sessions, emphasizing the urgency of patching and continuous monitoring for anomalous file uploads.

3. Emerging Malware and Phishing Tactics

The YouTube Ghost Malware Network resurfaced, leveraging more than 3,000 malicious videos masquerading as software cracks and game cheats. The campaign uses password-protected archives and evolves frequently to evade antivirus detection. The latest payload, Rhadamanthys v0.9.2, steals credentials and financial data from compromised systems.

Google’s Threat Intelligence team also uncovered a fake job campaign operated by a Vietnam-based group (UNC6229). The attackers distribute password-protected files or links to fraudulent interview portals, infecting victims with remote access trojans (RATs). Job seekers in digital marketing and advertising are prime targets, highlighting the need for awareness training and verification of employment offers.

In addition, a phishing campaign exploiting Microsoft 365 Exchange’s Direct Send feature allowed attackers to bypass email content filters and impersonate internal users. Microsoft is now introducing the “RejectDirectSend” control to mitigate abuse.

4. Supply Chain and Cloud Threats Escalate

A new malware strain named GlassWorm marked a major supply chain attack by infecting Visual Studio Code extensions. The self-propagating worm hides malicious code using invisible Unicode characters and communicates via the Solana blockchain for command-and-control. Over 35,000 downloads of affected extensions have been reported, compromising developer environments and crypto wallets. Security experts advise removing affected extensions and rotating exposed credentials.

5. Security Recommendations

The latest incidents emphasize the critical need for proactive patch management, strong access control, and continuous threat monitoring. Organizations should:

• Apply security patches promptly across all endpoints and servers.
• Enforce MFA for cloud and admin accounts.
• Audit API and storage configurations.
• Monitor for indicators of compromise (IOCs) shared by vendors.
• Train employees against phishing and social engineering attempts.

By maintaining vigilance and adopting a layered defense strategy, organizations can better safeguard their digital assets against evolving cyber threats.

For consultation and for tailored cybersecurity advisory, contact our team at Crowe UAE, +971 54 246 8006, +971 55 343 8693, [email protected]