Author: Mark

Oct 24, 2025The Hacker NewsCyber Resilience / Data Protection

Does your organization suffer from a cybersecurity perception gap? Findings from the Bitdefender 2025 Cybersecurity Assessment suggest the answer is probably “yes” — and many leaders may not even realize it.

This disconnect matters. Small differences in perception today can evolve into major blind spots tomorrow. After all, perception influences what organizations prioritize, where they allocate resources, and how they respond in critical moments.

Confidence at the Top, Caution on the Ground

Bitdefender’s latest assessment surveyed 1,200 cybersecurity and IT professionals, and at first glance, the results suggest optimism. An impressive 93% say they are “somewhat” or “very confident” in their ability to manage cyber risk as the attack surface expands.

But dig deeper, and the optimism begins to split.

Nearly half (45%) of C-level respondents — including CISOs and CIOs — describe themselves as “very confident” in their organization’s readiness. Yet among mid-level managers, that number drops sharply to just 19%.

Executives, it seems, are more than twice as likely as operational teams to feel assured about their cybersecurity posture.

When leadership overestimates readiness, it can lead to underinvestment in people, processes, and technology. But perhaps it’s not about who’s right — rather, it’s about how differently each group views the same landscape.

Why the Cybersecurity Perception Gap Exists

In a recent conversation with several Bitdefender cybersecurity experts, we explored what drives this perception gap — and why it persists across so many organizations.

Sean Nikkel, Team Lead at the Bitdefender Cyber Intelligence Fusion Cell, says it’s no surprise that front-line professionals tend to have lower confidence in their organization’s cyber resilience. They’re the ones confronting risks up close.

“Think about what happens after a merger or acquisition,” Nikkel explains. “Whatever risk the acquired company carried, you now inherit. You can go from 100% green to yellow overnight — legacy systems, forgotten shadow IT, outdated processes. Those details are often invisible to leadership but painfully clear to security teams.”

Martin Zugec, Bitdefender Technical Solutions Director, agrees. “In my investigations, I often see a completely different version of cybersecurity than what’s being discussed online,” he says. “There’s a gap between perception and reality — and that gap seems to be widening.”

For Nick Jackson, Bitdefender’s Director of Cybersecurity Services, the issue often comes down to communication. “Mid-level managers handle much of the operational load, while CISOs and C-level leaders focus on strategic planning,” he notes. “Without strong reporting and collaboration, those worlds can drift apart.”

How to Close the Perception Gap

Bridging this divide isn’t just about improving communication — it’s a strategic imperative. Jackson, who helps organizations align through the Bitdefender Security Advisory, says the solution starts with mutual understanding.

“When both sides understand each other’s perspectives — the executive’s focus on risk appetite and business priorities, and the manager’s daily reality of operational threats — they can make smarter, faster decisions,” Jackson explains.

Better alignment helps everyone. Mid-level managers gain insight into why the company might accept certain risks or limit spending in specific areas. Meanwhile, executives gain a clearer view of the on-the-ground challenges that create those concerns in the first place.

Ultimately, cybersecurity success depends on shared visibility and trust. Closing the perception gap builds a culture where executives and practitioners move in sync — aligning strategy with reality to strengthen the entire organization.

Learn More About the C-Level vs. Frontline Divide

The perception gap identified in the Bitdefender 2025 Cybersecurity Assessment reaches beyond readiness, revealing differing cybersecurity priorities for 2025 and contrasting views on the global skills shortage.

To explore the full findings, download the complete Bitdefender 2025 Cybersecurity Assessment Report and gain a data-driven view of what’s shaping cybersecurity strategy in the year ahead.

Oct 24, 2025Ravie LakshmananMalware / Hacking News

A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads.

Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos.

The campaign leverages hacked accounts and replaces their content with “malicious” videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000.

“This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,” Eli Smadja, security research group manager at Check Point, said. “What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponize engagement tools to spread malware.”

The use of YouTube for malware distribution is not a new phenomenon. For years, threat actors have been observed hijacking legitimate channels or using newly created accounts to publish tutorial-style videos with descriptions pointing to malicious links that, when clicked, lead to malware.

These attacks are part of a broader trend where attackers repurpose legitimate platforms for nefarious purposes, turning them into an effective avenue for malware distribution. While some of the campaigns have abused legitimate ad networks, such as those associated with search engines like Google or Bing, others have capitalized on GitHub as a delivery vehicle, as in the case of the Stargazers Ghost Network.

One of the main reasons why Ghost Networks has taken off in a big way is that they can not only be used to amplify the perceived legitimacy of the links shared, but also maintain operational continuity even when the accounts are banned or taken down by the platform owners, thanks to their role-based structure.

“These accounts take advantage of various platform features, such as videos, descriptions, posts (a lesser-known YouTube feature similar to Facebook post), and comments to promote malicious content and distribute malware, while creating a false sense of trust,” security researcher Antonis Terefos said.

“The majority of the network consists of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation.”

There are specific types of accounts –

• Video-accounts, which upload phishing videos and provide descriptions containing links to download the advertised software (alternatively, the links are shared as a pinned comment or provided directly in the video as part of the installation process)
• Post-accounts, which are responsible for publishing community messages and posts containing links to external sites
• Interact-accounts, which like and post encouraging comments to give the videos a veneer of trust and credibility

The links direct users to a wide range of services like MediaFire, Dropbox, or Google Drive, or phishing pages hosted on Google Sites, Blogger, and Telegraph that, in turn, incorporate links to download the supposed software. In many of these cases, the links are concealed using URL shorteners to mask the true destination.

Some of the malware families distributed via the YouTube Ghost Network include Lumma Stealer, Rhadamanthys Stealer, StealC Stealer, RedLine Stealer, Phemedrone Stealer, and other Node.js-based loaders and downloaders –

• A channel named @Sound_Writer (9,690 subscribers), which has been compromised for over a year to upload cryptocurrency software videos to deploy Rhadamanthys
• A channel named @Afonesio1 (129,000 subscribers), which was compromised on December 3, 2024, and January 5, 2025, to upload a video advertising a cracked version of Adobe Photoshop to distribute an MSI installer that deploys Hijack Loader, which then delivers Rhadamanthys

“The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point said. “Adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks.”

“These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”

Oct 24, 2025Ravie LakshmananDevOps / Malware

Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.

The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025.

What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism.

Another novel aspect is that the GlassWorm campaign relies on “invisible Unicode characters that make malicious code literally disappear from code editors,” Idan Dardikman said in a technical report. “The attacker used Unicode variation selectors – special characters that are part of the Unicode specification but don’t produce any visual output.”

The end goal of the attack is to harvest npm, Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, deploy SOCKS proxy servers to turn developer machines into conduits for criminal activities, install hidden VNC (HVNC) servers for remote access, and weaponize the stolen credentials to compromise additional packages and extensions for further propagation.

The names of the infected extensions, 13 of them on Open VSX and one on the Microsoft Extension Marketplace, are listed below. These extensions have been downloaded about 35,800 times. The first wave of infections took place on October 17, 2025. It’s currently not known how these extensions were hijacked.

• codejoy.codejoy-vscode-extension 1.8.3 and 1.8.4
• l-igh-t.vscode-theme-seti-folder 1.2.3
• kleinesfilmroellchen.serenity-dsl-syntaxhighlight 0.3.2
• JScearcy.rust-doc-viewer 4.2.1
• SIRILMP.dark-theme-sm 3.11.4
• CodeInKlingon.git-worktree-menu 1.0.9 and 1.0.91
• ginfuru.better-nunjucks 0.3.2
• ellacrity.recoil 0.7.4
• grrrck.positron-plus-1-e 0.0.71
• jeronimoekerdt.color-picker-universal 2.8.91
• srcery-colors.srcery-colors 0.3.9
• sissel.shopify-liquid 4.0.1
• TretinV3.forts-api-extention 0.3.1
• cline-ai-main.cline-ai-agent 3.1.3 (Microsoft Extension Marketplace)

The malicious code concealed within the extensions is designed to search for transactions associated with an attacker-controlled wallet on the Solana blockchain, and if found, it proceeds to extract a Base64-encoded string from the memo field that decodes to the C2 server (“217.69.3[.]218” or “199.247.10[.]166”) used for retrieving the next-stage payload.

The payload is an information stealer that captures credentials, authentication tokens, and cryptocurrency wallet data, and reaches out to a Google Calendar event to parse another Base64-encoded string and contact the same server to obtain a payload codenamed Zombi. The data is exfiltrated to a remote endpoint (“140.82.52[.]31:80”) managed by the threat actor.

Written in JavaScript, the Zombi module essentially turns a GlassWorm infection into a full-fledged compromise by dropping a SOCKS proxy, WebRTC modules for peer-to-peer communication, BitTorrent’s Distributed Hash Table (DHT) for decentralized command distribution, and HVNC for remote control.

The problem is compounded by the fact that VS Code extensions are configured to auto-update, allowing the threat actors to push the malicious code automatically without requiring any user interaction.

“This isn’t a one-off supply chain attack,” Dardikman said. “It’s a worm designed to spread through the developer ecosystem like wildfire.”

“Attackers have figured out how to make supply chain malware self-sustaining. They’re not just compromising individual packages anymore – they’re building worms that can spread autonomously through the entire software development ecosystem.”

The development comes as the use of blockchain for staging malicious payloads has witnessed a surge due to its pseudonymity and flexibility, with even threat actors from North Korea leveraging the technique to orchestrate their espionage and financially motivated campaigns.

Oct 23, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job.

“Some of these [companies’ are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program,” ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News.

It’s assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025.

Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe.

While ScoringMathTea (aka ForestTiger) was previously observed by ESET in early 2023 in connection with cyber attacks targeting an Indian technology company and a defense contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as part of intrusions aimed at companies in the energy and aerospace verticals. The first appearance of ScoringMathTea dates back to October 2022.

Operation Dream Job, first exposed by Israeli cybersecurity company ClearSky in 2020, is a persistent attack campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which is also tracked as APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970. The hacking group is believed to be operational since at least 2009.

In these attacks, the threat actors leverage social engineering lures akin to Contagious Interview to approach prospective targets with lucrative job opportunities and trick them into infecting their systems with malware. The campaign also exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star.

“The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it,” ESET researchers said.

The attack chain leads to the execution of a binary, which is responsible for sideloading a malicious DLL that drops ScoringMathTea as well as a sophisticated downloader codenamed BinMergeLoader, which functions similarly to MISTPEN and uses Microsoft Graph API and tokens to fetch additional payloads.

Alternate infection sequences have been found to leverage an unknown dropper to deliver two interim payloads, the first of which loads the latter, ultimately resulting in the deployment of ScoringMathTea, an advanced RAT that supports around 40 commands to take complete control over the compromised machines.

“For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” ESET said. “This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.”

Oct 23, 2025The Hacker NewsArtificial Intelligence / Data Protection

AI is everywhere—and your company wants in. Faster products, smarter systems, fewer bottlenecks. But if you’re in security, that excitement often comes with a sinking feeling.

Because while everyone else is racing ahead, you’re left trying to manage a growing web of AI agents you didn’t create, can’t fully see, and weren’t designed to control.

Join our upcoming webinar and learn how to make AI security work with you, not against you.

The Quiet Crisis No One Talks About

Did you know most companies now have 100 AI agents for every one human employee?

Even more shocking? 99% of those AI identities are completely unmanaged. No oversight. No lifecycle controls. And every one of them could be a backdoor waiting to happen.

It’s not your fault. Traditional tools weren’t built for this new AI world. But the risks are real—and growing.

Let’s Change That. Together.

In our free webinar, “Turning Controls into Accelerators of AI Adoption,” we’ll help you flip the script.

This isn’t about slowing the business down. It’s about giving you a real strategy to move faster—safely.

Here’s what we’ll cover:

• Stop firefighting: Learn how to set up security by design, not as an afterthought.
• Take control: Discover how to govern AI agents that behave like users—but multiply like machines.
• Be the enabler: Show leadership how security can accelerate AI adoption, not block it.

Curious yet? Don’t miss out.

This isn’t fluff or theory. You’ll get:

• A practical framework to gain visibility and stay ahead of risk
• Ways to prevent credential sprawl and privilege abuse from Day One
• A strategy to align with business goals while protecting what matters

Whether you’re an engineer, architect, or CISO, if you’ve felt like you’re stuck in reactive mode—you’re exactly who this is for.

This is your moment to turn control into confidence. Register Today.

Oct 23, 2025Ravie LakshmananCybersecurity / Hacking News

Criminals don’t need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you’re already a target.

This week’s ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked misconfigurations to sophisticated new attack chains that turn ordinary tools into powerful entry points.

Every one of these incidents tells the same story: attackers don’t break in — they log in, inject, or hijack what’s already trusted. The difference between surviving and becoming a headline is how fast you patch, isolate, and verify.

Stay sharp, review your defenses, and keep watching ThreatsDay — because next week’s breaches are already being written in today’s overlooked bugs.

Oct 23, 2025The Hacker NewsDevOps / Data Protection

As machine identities explode across cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link.

For decades, organizations have relied on static secrets, such as API keys, passwords, and tokens, as unique identifiers for workloads. While this approach provides clear traceability, it creates what security researchers describe as an “operational nightmare” of manual lifecycle management, rotation schedules, and constant credential leakage risks.

This challenge has traditionally driven organizations toward centralized secret management solutions like HashiCorp Vault or CyberArk, which provide universal brokers for secrets across platforms. However, these approaches perpetuate the fundamental problem: the proliferation of static secrets requiring careful management and rotation.

“Having a workload in Azure that needs to read data from AWS S3 is not ideal from a security perspective,” explains one DevOps engineer managing a multicloud environment. “Cross-cloud authentication and authorization complexity make it hard to set this up securely, especially if we choose to simply configure the Azure workload with AWS access keys.”

The Business Case for Change

Enterprise case studies document that organizations implementing managed identities report a 95% reduction in time spent managing credentials per application component, along with a 75% reduction in time spent learning platform-specific authentication mechanisms, resulting in hundreds of saved hours annually.

But how to approach the transition, and what prevents us from entirely eliminating static secrets?

Platform-Native Solutions

Managed identities represent a paradigm shift from the traditional “what you have” model to a “who you are” approach. Rather than embedding static credentials into applications, modern platforms now provide identity services that issue short-lived, automatically rotated credentials to authenticated workloads.

The transformation spans major cloud providers:

• Amazon Web Services pioneered automated credential provisioning through IAM Roles, where applications receive temporary access permissions automatically without storing static keys
• Microsoft Azure offers Managed Identities that allow applications to authenticate to services like Key Vault and Storage without developers having to manage connection strings or passwords
• Google Cloud Platform provides Service Accounts with cross-cloud capabilities, enabling applications to authenticate across different cloud environments seamlessly
• GitHub and GitLab have introduced automated authentication for development pipelines, eliminating the need to store cloud access credentials in development tools

“Using a secret manager dramatically improves the security posture of systems that rely on shared secrets, but heavy use perpetuates the use of shared secrets rather than using strong identities,” according to identity security researchers. The goal isn’t to eliminate secret managers entirely, but to dramatically reduce their scope.

Smart organizations are strategically reducing their secret footprint by 70-80% through managed identities, then using robust secret management for remaining use cases, creating resilient architectures that leverage the best of both worlds.

The Non-Human Identity Discovery Challenge

Most organizations don’t have visibility into their current credential landscape. IT teams often discover hundreds or thousands of API keys, passwords, and access tokens scattered across their infrastructure, with unclear ownership and usage patterns.

“You can’t replace what you can’t see,” explains Gaetan Ferry, a security researcher at GitGuardian. “Before implementing modern identity systems, organizations need to understand exactly what credentials exist and how they’re being used.”

GitGuardian’s NHI (Non-Human Identity) Security platform addresses this discovery challenge by providing comprehensive visibility into existing secret landscapes before managed identity implementation.

The platform discovers hidden API keys, passwords, and machine identities across entire infrastructures, enabling organizations to:

• Map dependencies between services and credentials
• Identify migration candidates ready for managed identity transformation
• Assess risks associated with current secret usage
• Plan strategic migrations rather than blind transformations

Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud.

“Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards,” Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said in a Wednesday analysis. “Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards.”

The end goal of these efforts is to leverage the issued gift cards for monetary gain by likely reselling them on gray markets. Gift cards make for a lucrative choice as they can be easily redeemed with minimal personal information and are difficult to trace, making it harder for defenders to investigate the fraud.

The name Jingle Thief is a nod to the threat actor’s pattern of conducting gift card fraud coinciding with festive seasons and holiday periods. The cybersecurity company is tracking the activity under the moniker CL‑CRI‑1032, where “CL” stands for cluster and “CRI” refers to criminal motivation.

The threat cluster has been attributed with moderate confidence to criminal groups tracked as Atlas Lion and Storm-0539, with Microsoft describing it as a financially motivated crew originating from Morocco. It’s believed to be active since at least late 2021.

Jingle Thief’s ability to maintain footholds within compromised organizations for extended periods, in some cases for over a year, makes it a dangerous group. During the time it spends with the environments, the threat actor conducts extensive reconnaissance to map the cloud environment, moves laterally across the cloud, and takes steps to sidestep detection.

Unit 42 said it observed the hacking group launching a wave of coordinated attacks targeting various global enterprises in April and May 2025, using phishing attacks to obtain credentials necessary to breach victims’ cloud infrastructure. In one campaign, the attackers are said to have maintained access for about 10 months and broken into 60 user accounts within a single organization.

“They exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and carry out gift card fraud at scale,” the researchers noted.

The attacks often involve attempts to access gift‑card issuance applications to issue high‑value cards across different programs, while simultaneously ensuring these actions leave minimal logs and forensic trails.

Jingle Thief phishing attack chain across Microsoft 365

They are also highly targeted and tailored to each victim, with the threat actors carrying out reconnaissance before sending persuasive phishing login pages via email or SMS that can fool victims and trick them into entering their Microsoft 365 credentials.

As soon as the credentials are harvested, the attackers waste no time logging into the environment and carry out a second round of reconnaissance, this time targeting the victim’s SharePoint and OneDrive for information related to business operations, financial processes, and IT workflows.

This includes searching for gift card issuance workflows, VPN configurations and access guides, spreadsheets or internal systems used to issue or track gift cards, and other key details related to virtual machines and Citrix environments.

In the next phase, the threat actors have been found to leverage the compromised account to send phishing emails internally within the organization to broaden their foothold. These messages often mimic IT service notifications related to IT service notifications or ticketing updates by making use of information gleaned from internal documentation or previous communications.

Furthermore, Jingle Thief is known to create inbox rules to automatically forward emails from hacked accounts to addresses under their control, and then cover up traces of the activity by moving the sent emails immediately to Deleted Items.

In some cases, the threat actor has also been observed registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections and even enrolling their devices in Entra ID so as to maintain access even after victims’ passwords are reset or the session tokens are revoked.

Besides their exclusive focus on cloud services rather than endpoint compromise, another aspect that makes Jingle Thief’s campaigns noteworthy is their propensity for identity misuse over deploying custom malware, thereby minimizing the chances of detection.

“Gift card fraud combines stealth, speed and scalability, especially when paired with access to cloud environments where issuance workflows reside,” Unit 42 said. “This discreet approach helps evade detection while laying the groundwork for future fraud.”

“To exploit these systems, the threat actors need access to internal documentation and communications. They can secure this by stealing credentials and maintaining a quiet, persistent presence within Microsoft 365 environments of targeted organizations that provide gift card services.”

Oct 23, 2025Ravie LakshmananVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.

The vulnerability, CVE-2025-61932 (CVSS v4 score: 9.3), impacts on-premises versions of Lanscope Endpoint Manager, specifically Client program and Detection Agent, and could allow attackers to execute arbitrary code on susceptible systems.

“Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability, allowing an attacker to execute arbitrary code by sending specially crafted packets,” CISA said.

The flaw impacts versions 9.4.7.1 and earlier. It has been addressed in the versions below –

• 9.3.2.7
• 9.3.3.9
• 9.4.0.5
• 9.4.1.5
• 9.4.2.6
• 9.4.3.8
• 9.4.4.6
• 9.4.5.4
• 9.4.6.3, and
• 9.4.7.3

It’s currently not known how the vulnerability is being exploited in real-world attacks, who is behind them, or the scale of such efforts. However, an alert issued by the Japan Vulnerability Notes (JVN) portal earlier this week noted that Motex has confirmed an unnamed customer “received a malicious packet suspected to target this vulnerability.”

In light of active exploitation efforts, Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate CVE-2025-61932 by November 12, 2025, to safeguard their networks.

Oct 23, 2025Ravie LakshmananData Breach / Vulnerability

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours.

The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API.

Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.

The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up.

The attacks have originated from the following IP addresses, with unknown threat actors leveraging the flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information.

• 34.227.25[.]4
• 44.212.43[.]34
• 54.205.171[.]35
• 155.117.84[.]134
• 159.89.12[.]166

“PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said.

The development comes as Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution.

It’s worth noting that CVE-2025-54236 is the second deserialization vulnerability impacting Adobe Commerce and Magento platforms in as many years. In July 2024, another critical flaw dubbed CosmicSting (CVE-2024-34102, CVSS score: 9.8) was subjected to widespread exploitation.

With proof-of-concept (PoC) exploits and additional specifics now entering public domains, it’s imperative that users move quickly to apply the fixes.