Oracle E-Business Suite: Patch Zero-Day Actively Exploited by Cl0p; Okta and Zscaler Report on Salesloft Drift Breaches

The SANS Difference Makers Awards shine a light on cybersecurity practitioners who are leading innovative developments in the industry, who’ve made outstanding security achievements, and who are contributing to the InfoSec community in ways that deserve recognition. Voting is open through Wednesday, October 8 at 11:59 p.m. EDT.

https://www.sans.org/about/awards/difference-makers

Oracle has published a Security Alert Advisory for a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite that is being actively exploited by Cl0p threat actors. Dr. Johannes Ullrich has published a "Quick and Dirty Analysis of Possible Oracle E-Business Suite Exploit Script (CVE-2025-61882)" in an Internet Storm Center (ICS) diary. According to Oracle's advisory, the "vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution." Users are urged to update as soon as possible, with the caveat that the update requires users to have also applied the October 2023 Oracle Critical Patch Update. The advisory includes indicators of compromise. Mandiant CTO Charles Carmakal notes that Cl0p has exploited known vulnerabilities in addition to this zero-day to "steal large amounts of data from several victim[s] in August 2025." CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog.

Last week, researchers from Google Mandiant and Google Threat Intelligence Group (GTIG) reported that they were tracking malicious activity with possible links to the Cl0p threat actor. Mandiant and GTIG said that the threat actors were stealing data from Oracle E-Business Suite users. On Thursday, October 2, Oracle confirmed that some E-Business Suite customers received emails demanding payment or face having sensitive information released. At the time, Oracle CSO Rob Duhart wrote that the company's "ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.” (Ed: Duhart's blog post has since been updated to reflect Oracle's release of an advisory and patch for a zero-day vulnerability in E-Business Suite (CVE-2025-61882); see story above.)

Okta and Zscaler were among the hundreds of Salesloft Drift customers targeted in supply chain attacks that led to the theft of Salesforce customer data. Salesloft's initial investigation, conducted by Mandiant, indicates that between March and June 2025, the threat actor accessed Salesloft's GitHub account and downloaded "content from multiple repositories, ... then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations." The data theft took place in mid-August. Salesforce notified Zscaler a week after the data theft; Zscaler revoked its compromised Drift OAuth token “even though it didn’t really matter by that point,” according to Zscaler CISO Sam Curry. The threat actor has already stolen Zscaler customer data. Zscaler had stopped using Drift before the attack, but the related OAuth token was still active, set to be retired at the end of August. Okta became aware of unusual activity when there were warnings of issues with Drift. Okta detected attempts "to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes," according to information from Okta CISO David Bradbury. Because of that configuration, Okta did not experience customer data theft.

Over the past week, the US Cybersecurity and Infrastructure Security Agency (CISA) has added a dozen CVEs to the Known Exploited Vulnerabilities (KEV) catalog. Of those, half are more than a decade old; all 12 have been granted the regular three-week mitigation deadline. The CVEs are: a GNU Bash OS command injection vulnerability (CVE-2014-6278); a Jenkins remote code execution vulnerability (CVE-2017-1000353); a Juniper ScreenOS improper authentication vulnerability (CVE-2015-7755); an out-of-bounds write vulnerability in Samsung mobile devices (CVE-2025-21043); a command injection vulnerability in Smartbedded Meteobridge (CVE-2025-4008); a Linux Kernel heap out-of-bounds write vulnerability (CVE-2021-22555); an uninitialized memory corruption vulnerability in Microsoft Internet Explorer (CVE-2010-3962); a privilege escalation vulnerability in Microsoft Windows (CVE-2021-43226); an out-of-bounds write vulnerability in Microsoft Windows (CVE-2013-3918); a remote code execution vulnerability in Microsoft Windows (CVE-2011-3402); a remote code execution vulnerability in multiple Mozilla products (CVE-2010-3765); and an unspecified vulnerability in Oracle E-Business Suite (CVE-2025-61882): see the related stories on Oracle in this issue.

Discord has published a security update notifying users of a recent cyberattack on a third-party customer service provider, resulting in data theft "with a view to extort a financial ransom." Once the company was aware one of its third-party providers had been compromised, Discord revoked the provider's access to the ticketing system and engaged computer forensics experts and law enforcement to help investigate and remediate. The attacker accessed data belonging to only "a limited number of users who had contacted Discord through [Discord's] Customer Support and/or Trust & Safety teams," which may include "name, Discord username, email and other contact details if provided to Discord customer support ... Limited billing information such as payment type, the last four digits of your credit card, and purchase history if associated with your account ... IP addresses ... Messages with our customer service agents ... [and] Limited corporate data (training materials, internal presentations)," as well as "a small number of government‑ID images (e.g., driver’s license, passport) from users who had appealed an age determination." The breach does not appear to involve full credit card numbers or CCV codes, messages or activity outside of customer support, or authentication data. Discord has notified data protection authorities and reviewed its threat detection systems and security controls for third-party support providers. The notice recommends all users exercise caution with communications and reach out to provided "service agents" with any questions; Discord will contact any affected users exclusively from noreply@discord[.]com and never by phone.

On October 2, 2025, Red Hat posted a security update disclosing unauthorized access to a GitLab instance belonging to Red Hat Consulting. Once the company detected the intrusion, they removed the intruder's access, isolated the GitLab instance, contacted authorities, and implemented security hardening for containment and prevention of future attacks. Red Hat began investigating immediately and determined that an attacker had exfiltrated information from a GitLab instance containing consulting engagement data including "Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information." Red Hat believes that this breach only affects Red Hat Consulting customers, and does not have evidence of impact on Red Hat products, services, or its software supply chain. The company also confirms that this attack is unrelated to the previous day's critical vulnerability in OpenShift AI (CVE-2025-10725). Investigation is ongoing, and potentially affected customers will be notified directly. GitLab has emphasized that the breached instance was self-managed, and "there has been no breach of GitLab’s managed systems or infrastructure."

In June 2025, RyotaK, a security engineer at GMO Flatt Security, responsibly disclosed a high-severity flaw in the Unity game engine, affecting Android, Windows, Linux, and macOS systems. CVE-2025-59489, CVSS score 8.4, allows an attacker to locally execute arbitrary code and exfiltrate confidential information from systems, exploiting a vulnerability in Unity Runtime's intent handling process that loads library code from an unintended location and enables a malicious application to take the permissions granted to Unity applications. RyotaK's analysis also notes the possibility of remote exploitation under certain conditions. Unity has published a security advisory with patches for Unity Editor versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2, as well as for no-longer-supported versions including 2019.1 and newer. The patch itself is not the full fix: developers must rebuild and redeploy vulnerable applications using the updated editor. A Unity Application Patcher is also available to apply a hotfix if rebuilding from source is not possible. Unity notes that "On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation." Microsoft's own advisory recommends users uninstall all impacted applications until updated versions are available, noting that Xbox consoles, Xbox Cloud Gaming, iOS, and HoloLens are not affected. Valve has also published a notice announcing a Steam Client update that blocks games from launching through the Steam Client custom URI scheme or through an OS shortcut, if they contain command line parameters that indicate the vulnerability. Unity estimates over 1.2 million monthly active users of the Unity Editor, and 3 billion downloads per month of mobile games built with Unity.

Google and Mozilla have released updates to address security issues in their flagship browsers. Google released Chrome 141, which addresses 21 vulnerabilities, including 12 reported externally. Of those, two are high-severity heap buffer overflow issues affecting Chrome’s WebGPU and Video components (CVE-2025-11205 and CVE-2025-11206). Mozilla released Firefox 143.0.3 to address two high-severity vulnerabilities in the Graphics: Canvas2D and JavaScript Engine: JIT components.

A Jaguar Land Rover (JLR) spokesperson has confirmed to the Register that the company expects manufacturing to resume over the next few days. The company's three UK production plants are likely to start up gradually, taking several weeks to return to operating as usual. JLR shut down operations at the beginning of September following a debilitating cyberattack. Japanese brewing company Asahi Group Holdings has confirmed that the cyber incident reported at the end of September was a ransomware attack and that the perpetrators exfiltrated data from Asahi's systems. The company is currently processing orders manually and is working to restore call center operations.

In late September 2025, Florida radiology practice Doctors Imaging Group (DIG) posted a notice disclosing a data breach that took place between November 5 and November 11, 2024. Upon discovering suspicious activity, DIG "moved quickly to respond and investigate, ... assess the security of [its] network, and notify potentially impacted individuals," also notifying law enforcement and regulators. DIG began an investigation that concluded on August 29, 2025, having determined that "files were copied," including "name, address, date of birth, admission date, financial account number, financial account type, patient account number, medical record number, health insurance information, medical treatment information, medical claim information and Social Security number." DIG sent notification letters to affected individuals "where address information is available as information became available," and is assessing new preventative cybersecurity tools as well as reviewing policies and procedures. The notice recommends vigilance over account statements and explanation of benefits statements, and suggests credit monitoring. DIG offers contact details for questions by email, postal address, and toll-free assistance phone line. A report to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) shows the number of affected individuals at 171,862.