Red Hat GitLab Breach and OpenShift AI Flaw; Critical sudo Flaw Added to CISA KEV; CISA Will Not Renew MS-ISAC Funding

Following an alleged threat actor’s social media and email claims of data theft from Red Hat, the software company has stated to news sources, "[We are] aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," also clarifying that the incident "is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub." The Centre for Cybersecurity Belgium (CCB) has published an advisory containing more details, informing Belgian organizations that a data breach at Red Hat Consulting Services compromised "repositories containing Customer Engagement Reports (CERs)" which may include network information, authentication tokens and keys, configuration data, and other details. Red Hat has not publicly commented on these details. The CCB warns of "high risk" to organizations who have interacted with Red Hat Consulting and shared credentials, tokens, or configuration data; those who have implemented integrations involving Red Hat systems; and those who have used Red Hat Consulting services or worked with third-party providers who have, posing a supply chain risk. The CCB advisory recommends that organizations revoke and rotate tokens, keys, and credentials; consult third parties about possible exposure; contact Red Hat directly for guidance; and "increase Monitoring of authentication events, API calls, and system access for anomalies." Unrelatedly, Red Hat also recently disclosed and patched CVE-2025-10725, a CVSS 9.9 flaw in its OpenShift AI platform that allows "a low-privileged attacker with access to an authenticated account" to achieve "a total breach of the platform and all applications hosted on it" by escalating privileges to a full cluster administrator.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the command line utility sudo, used in Linux and Unix-like operating systems including macOS, to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-32463, CVSS score 9.3, allows a local attacker not listed in the permitted sudoers file to run arbitrary commands as root by leveraging the -R (--chroot) option to load /etc/nsswitch[.]conf from a user-controlled directory. Rich Mirch with the Stratascale Cyber Research Unit (CRU) originally discovered and reported the flaw, which was patched and publicly disclosed in June 2025 as of sudo 1.9.17p1, with a proof of concept exploit published in July. Federal Civilian Executive Branch agencies are required to patch this vulnerability by October 20.

The US Cybersecurity and Infrastructure Security Agency (CISA) has ended its "cooperative agreement with the Center for Internet Security (CIS) [as of] September 30, 2025." CIS president and CEO John Gilligan told The Register that "CIS has been informed that the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have chosen not to renew federal funding that for the past 20 years has supported the MS-ISAC’s (Multi-State ISAC's) highly effective work to increase the security resilience for state, local, tribal, and territorial (SLTT) organizations," adding that "CIS remains committed to the SLTT community. The new fee-based membership model for the MS-ISAC will permit it to continue to deliver high-impact cybersecurity services including threat intelligence in a variety of forms and formats, best practices and collaboration opportunities, and effective monitoring, blocking, and response to cyber attacks." CISA says it plans to support state, local, tribal, and territorial (SLTT) governments through access to grant funding from the Department of Homeland Security (DHS) and other services.

Earlier this week, Broadcom has released two advisories to address a total of six vulnerabilities. The first advisory, VMSA-2025-0015, addresses three vulnerabilities in VMware Aria Operations and VMware Tools: a local privilege escalation vulnerability (CVE-2025-41244); a VMware Aria Operations Information disclosure vulnerability (CVE-2025-41245); and a VMware Tools improper authorization vulnerability (CVE-2025-41246). Researchers at NVISO say that CVE-2025-41244 has been exploited as a zero-day vulnerability since mid-October 2024. The second advisory, VMSA-2025-0016, addresses three vulnerabilities in VMware vCenter and NSX: a vCenter SMTP header injection vulnerability (CVE-2025-41250); an NSX weak password recovery mechanism vulnerability (CVE-2025-41251); and an NSX username enumeration vulnerability (CVE-2025-41252). Affected products include VMware NSX, NSX-T, VMware Cloud Foundation, VMware vCenter Server, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure. All three flaws are rated high severity. Broadcom was alerted to the vulnerabilities by the US National Security Agency.

The OpenSSL project has released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd of the OpenSSL Library to address three vulnerabilities: CVE-2025-9230, a moderate severity out-of-bounds read/write issue that can be exploited for arbitrary code execution or DoS attacks; CVE-2025-9231, a moderate severity timing side-channel in the SM2 algorithm implementation on 64 bit ARM platforms that could potentially allow remote recovery of the private key; and CVE-2025-9232, a low severity out-of-bounds read issue that can trigger a crash, leading to denial-of-service conditions. Users are urged to update to fixed versions of OpenSSL.

The US National Institute of Standards and Technology's (NIST's) National Cybersecurity Center of Excellence (NCCoE) has published guidance for reducing the cybersecurity risks of portable storage media in OT environments. The document focuses primarily on USB devices, but also addresses external hard drives and CD and DVD drives. "The NCCoE has developed cybersecurity considerations to be integrated into a broader cybersecurity risk management program to help OT personnel use portable storage media securely and effectively," including procedural, physical, and technical controls, and transport and sanitization recommendations.

The European Union Agency for Cybersecurity (ENISA) has published the ENISA Threat Landscape 2025 report. The report analyzes nearly 4,900 cyber incidents affecting European organizations between July 2024 and June 2025. Among the findings: the most common initial infection vector was phishing (60%), followed by vulnerabilities (21.3%), botnets (9.9%), and malicious applications (8%). The majority of incident types were identified as DDoS (76.7%), followed by intrusion (17.8%), and the distribution of threats was headed by mobile (42.4%), then web threats (27.3%), operational technology (18.2%), and supply chain (10.6%). The report "integrates additional analysis of adversary behaviours, vulnerabilities and geopolitical drivers, aimed at both strategic and operational audiences, offering an actionable perspective on trends shaping the EU’s cyber threat environment."

Three North American companies that experienced data breaches in the summer of 2025 have filed reports with the Office of the Maine Attorney General and are sending notification letters to those affected. Calgary-based airline WestJet discovered unauthorized access to their systems on June 13; they immediately secured their environment, notified authorities, and began investigating with the aid of internal and external experts. WestJet's analysis of the breach concluded on September 15 and determined that 1.2 million individuals' data may have been compromised, including "name, date of birth, [and] mailing address," as well as information about travel documents, accommodations, and complaints. While "no credit card or debit card numbers, expiry dates or CVV numbers or account passwords were involved," WestJet credit card identifier type and WestJet Rewards ID number and points balance along with associated account information, excluding passwords, may also be compromised. The airline recommends affected customers notify others who may have traveled under the same booking number. WestJet is offering 24 months of free identity theft and monitoring through myTrueIdentity, including proactive fraud assistance and expense reimbursement insurance. On July 16, a threat actor breached a third-party cloud customer relationship management (CRM) system used by Insurance company Allianz Life; Allianz immediately contained and mitigated the attack, and has found no evidence that Allianz's own network or company systems were accessed. Investigation revealed that information belonging to nearly 1.5 million "customers, financial professionals, and select Allianz Life employees" may have been compromised, including "name, address, date of birth and Social Security number." Allianz is offering 24 months of identity monitoring through Kroll. On August 19, vehicle dealership software developer Motility detected unauthorized access to their servers by a threat actor who exfiltrated customer data before encrypting a portion of the company's systems. Motility implemented preventative security measures, restored systems from backups, established dark net monitoring, and engaged experts and legal counsel. Investigation determined that 766,670 customers' information was affected, including "full name, postal address, e-mail address, telephone number, date of birth, social security number, and driver’s license number." Motility is offering 12 months of free identity monitoring services through LifeLock.

The UK Government has reportedly issued a second Technical Capability Notice (TCN) to Apple under the country's Investigatory Powers Act, once again demanding the right to access to users' encrypted data, but this time limiting the scope to users in the UK. While the Home Office and Apple are not legally permitted to comment, the Financial Times and BBC report that this new notice "targeting only British users’ data" may represent a compromise following January 2025's TCN targeting all Apple users -- also initially neither confirmed nor denied -- which was withdrawn in August according to US Director of National Intelligence Tulsi Gabbard. Since February, Apple has rescinded and disabled Advanced Data Protection (ADP) encryption for UK users, even after the alleged withdrawal. During an April appeal hearing for the first TCN, the Investigatory Powers Tribunal ruled that the government's desire to withhold the "bare details of the case" from public knowledge is not justified by the possible impacts to public interest and national security. According to the BBC, "A tribunal hearing is still due to take place in January 2026."

Emirates (UAE). The malware specimens, which are delivered through maliciously crafted web sites and social engineering, are disguised as Android Signal and ToTok apps. The spyware "exfiltrate[s] user data, including documents, media, files, contacts, and chat backups," to servers controlled by the attackers. The spyware campaigns were detected in June 2025; one appears to have been active since 2022, and the other is believed to have been active since 2024. The apps were not available in official app stores – instead, users needed to install them manually from third-party sites. One of the malicious websites is a phony version of the Samsung Galaxy Store.