Weekly Cybersecurity Bulletin (6 – 12 October 2025)

Reading Time: 4 minutes

Summary

The week witnessed a surge in high-impact vulnerabilities, sophisticated attack campaigns, and emerging threats leveraging AI and cloud platforms. Major incidents include Oracle’s emergency patch following active exploitation by Cl0p, a Redis flaw lingering for 13 years, a privilege escalation vulnerability in AWS ClientVPN, and significant breaches impacting Red Hat and SonicWall customers. Additionally, the rise of AI-generated malware and mass RDP attacks highlight the evolving complexity of the global threat landscape.

1. Vulnerability Highlights

1.1: Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It

Severity: Critical (CVSS 9.8)
Affected Product: Oracle E-Business Suite
Oracle released an emergency fix for a remote code execution flaw actively exploited by the Cl0p ransomware group. Attackers could gain full system control without authentication, with evidence of data theft and lateral movement linked to the LAPSUS$ group.
Mitigation: Apply the latest Oracle patch immediately, restrict HTTP access to trusted networks, and monitor logs for anomalies.

Read more: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

1.2: Redis Vulnerability Exposed After 13 Years (CVE-2025-49844)

Severity: Critical (CVSS 10.0)
Affected Product: Redis (Lua scripting enabled)
A 13-year-old flaw dubbed “RediShell” allows authenticated users to run arbitrary code remotely, potentially enabling data theft or cryptojacking. Over 300,000 exposed Redis servers remain at risk.
Mitigation: Upgrade to the patched versions (6.2.20, 7.2.11, 7.4.6, 8.0.4, or 8.2.2) and disable Lua scripting on public-facing servers.

Read more: https://redis.io/blog/security-advisory-cve-2025-49844/

1.3: AWS ClientVPN for macOS Privilege Escalation (CVE-2025-11462)

Severity: High (CVSS 7.8)
Affected Product: AWS ClientVPN for macOS (1.3.2–5.2.0)
A local privilege escalation vulnerability could allow attackers to gain root access via manipulated log files.
Mitigation: Update immediately to version 5.2.1 and monitor for unauthorized cron modifications.

Read more: https://aws.amazon.com/security/security-bulletins/AWS-2025-020/

2. Attack Campaigns

2.1: Red Hat Consulting Breach Impacts 5000+ Enterprise Clients

A data breach at Red Hat Consulting compromised millions of internal and client files, including source code, certificates, and network configurations. The extortion group Crimson Collective claimed responsibility.
Impact: Enterprises across healthcare, banking, and telecom sectors face potential supply chain risks.
Mitigation: Rotate credentials, assess exposure, and monitor third-party access.

Read more: https://doublepulsar.com/red-hat-consulting-breach-puts-over-5000-high-profile-enterprise-customers-at-risk-in-detail-90114f18f706

https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance

2.2: SonicWall Backup File Breach – All Cloud Users Affected

Hackers exfiltrated all customer firewall configuration backups (.EXP files) from SonicWall’s cloud service, exposing sensitive configurations and credentials.
Mitigation: Reset all passwords and secrets associated with affected devices, prioritize internet-facing assets, and follow SonicWall’s remediation playbook.

Read more: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

3. Security News & Emerging Threats

3.1: Crimson Collective Leveraging AWS for Data Exfiltration

A new threat group exploits compromised AWS access keys to perform privilege escalation and data theft. Using tools like TruffleHog and the AWS API, they target sensitive cloud repositories.
Mitigation: Rotate all long-term IAM keys, audit CloudTrail logs for TruffleHog or GetCallerIdentity usage, and enforce least-privilege policies.

Read more: https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/

3.2: MalTerminal: AI-Generated Malware Using GPT-4

SentinelLABS revealed “MalTerminal,” a proof-of-concept malware leveraging GPT-4 to generate custom ransomware or reverse shell code at runtime. The discovery signals a new era of adaptive, AI-driven cyber threats.
Mitigation: Monitor for suspicious API usage, revoke unused OpenAI API keys, and deploy behavioral threat detection tools.

Read more: https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/

3.3: Massive Global RDP Attack Campaign

GreyNoise reported a coordinated attack wave targeting RDP services from over 100,000 IP addresses across 100+ countries. Attackers used timing-based enumeration and credential guessing to compromise exposed endpoints.
Mitigation: Enforce MFA, restrict RDP access to trusted IPs, and use the GreyNoise RDP blocklist (“microsoft-rdp-botnet-oct-25”) to prevent brute-force attacks.

Read more: https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave

4. Key Takeaways

• Critical Patching Priority: Apply immediate updates for Oracle, Redis, and AWS vulnerabilities.
• Cloud Vigilance: Monitor IAM and API activity to prevent data exfiltration via compromised credentials.
• AI in Malware Evolution: Expect increased use of AI-generated code for polymorphic attacks.
• Remote Access Risks: Restrict RDP exposure and enforce MFA to mitigate botnet attacks.

Crowe UAE’s Cyber Threat Management division continues to monitor these developments, providing timely insights to help organizations strengthen their defense posture. +971 55 343 8693 | [email protected]