Patch Oracle E-Business Suite for New Flaw; SonicWall SSLVPN Compromises; BreachForums Taken Down Before Threatened Salesforce Data Leak

On Saturday, October 11, Oracle released a patch for another vulnerability in its Oracle E-Business Suite. The patch for CVE-2025-61884, a high-severity, remotely exploitable vulnerability, follows just a week after Oracle patched CVE-2025-61882, a critical vulnerability in E-Business Suite that was being actively exploited. According to Oracle's advisory for CVE-2025-61884, the vulnerability affects the Runtime UI of Oracle Configurator, and "may be exploited over a network without the need for a username and password ...[potentially] allow[ing] access to sensitive resources." The advisory says the vulnerability readily affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. Users are urged to apply updates as soon as possible.

Researchers at Huntress have published a threat advisory warning titled has "observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments." The advisory follows SonicWall's announcement last week that a September 2025 breach of firewall configuration files affected all customers who use SonicWall's cloud services to back up those files. Huntress researchers say they observed "threat actors ... authenticating into multiple accounts rapidly across compromised devices" starting on October 4; as of the writing of the blog, more than 100 SonicWall SSLVPN accounts across 16 customer accounts have been affected. All the observer authentications originated from the same IP address. Huntress cautions that there is no evidence that the spate of attacks they observed is related to the September breach.

The BreachForums domain has once again been taken down. Law enforcement authorities from the US and France seized the domain on Thursday, October 9, hours before the threat actor group responsible for the theft of data from multiple Salesforce instances had planned to post the stolen information. Earlier last week, Salesforce said they had no intention of paying the ransom demand. On Thursday evening, visitors to the web address for BreachForums were greeted with a banner that says, "This domain has been seized," accompanied by the insignias of the FBI, the US Department of Justice, and France's Brigade Centrale de Lutte Contre la Cybercriminalité and Juridiction Nationale de lutte contre la Criminalité Organisée. This is the latest of several incarnations of BreachForums taken down by authorities since 2023.

Trend Micro's Zero Day Initiative (ZDI) published 13 advisories regarding unpatched vulnerabilities in Ivanti Endpoint Manager. One is a privilege escalation vulnerability, and the rest are remote code execution vulnerabilities. ZDI reported the local privilege escalation flaw to Ivanti in November 2024; Ivanti confirmed the issue in January 2025, and in July communicated that patches would be available in November 2025. The other 12 were reported in June 2025. At the time, Ivanti said it would patch 10 of them in September, but later requested an extension until March 2026 for all 12. ZDI has given vendors 120 days to address reported vulnerabilities; if the vendor does not meet the deadline without sufficient reason, ZDI will publish advisories. ZDI has also published an advisory regarding a 14th vulnerability (CVE-2025-9872) in Ivanti Endpoint Manager — this one has a fix available.

Microsoft has changed how users access the Edge browser's Internet Explorer (IE) compatibility mode, following reports of threat actors abusing an unpatched zero-day flaw in IE's Chakra JavaScript engine. Through social engineering, threat actors lured users to visit a counterfeit web page containing a UI prompt to reload in IE mode. This allowed the threat actor to exploit Chakra to achieve remote code execution and leverage "a second exploit to elevate their privileges out of the browser to gain full control of the victim’s device." Microsoft provides IE compatibility mode for legacy applications and devices in business, security, and government sectors, but notes that IE 11 reached end-of-life (EoL) on June 15, 2022, and "was not designed with the robust architecture and defence-in-depth mitigations that we have come to expect from modern Chromium-based browsers." The Edge browser security team encourages users to migrate away from legacy web technologies, and has removed the "dedicated toolbar button, context menu, and ... hamburger menu" controls for enabling IE mode. Users now must enable IE mode on a site-by-site basis by turning on the mode in settings and adding specific sites to a permitted list. "No changes were made to the logic for commercial users to enable IE mode through enterprise policies."

Fortra has published a summary of their investigation into the GoAnywhere Managed File Transfer (MFT) critical deserialization vulnerability (CVE-2025-10035) that was disclosed in September and has been exploited. According to the blog, Fortra began investigating the vulnerability on September 11, 2025, and then "developed and released hotfixes for supported versions and updated the product to further secure the affected component. [They] also notified all Fortra GoAnywhere MFT customers of the available updates and mitigation steps." The blog includes a timeline of Fortra's activity regarding CVE-2025-10035 as well as indicators of compromise; recommendations for users, which include ensuring the admin console is not exposed to the public internet, enabling monitoring and alerts, and ensuring that software is kept up to date; and an impact statement, which notes that "the scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet."

Researchers at Cisco Talos have confirmed malicious use of the open-source digital forensics and incident response (DFIR) tool Velociraptor during ransomware attacks, and believe that this activity matches the tactics, techniques, and procedures (TTPs) of China-aligned threat actor Storm-2603. While responding to a ransomware attack in mid-August 2025, Talos observed that a threat actor had installed an outdated version of Velociraptor while deploying "Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers." The tool is designed for endpoint monitoring, data collection, and analysis during DFIR investigations, but the threat actors "installed an outdated version of Velociraptor (version 0.73.4.0) that was exposed to a privilege escalation vulnerability (CVE-2025-6264) that could lead to arbitrary command execution and endpoint takeover." The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6264 to its Known Exploited Vulnerabilities (KEV) catalog on October 14, 2025 with a mitigation deadline of November 4, 2025. In a separate incident also in August, the Sophos Counter Threat Unit (CTU) saw Velociraptor abused to download and run "Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command and control (C2) server." Cisco Talos and Sophos both provide indicators of compromise (IoCs) based on these attacks. Rapid7, which maintains Velociraptor, states that the tool "deliberately creates some IOCs which are easy to detect" if misused. For organizations already using Velociraptor, Rapid7 recommends differentiating malicious activity from legitimate use by examining all audit logs for unusual sets of command line arguments, ensuring the tool's agent configuration has not been tampered with, and ensuring the service control manager always starts the Velociraptor binary using a normal process lineage.

In the interest of "a cleaner, more focused browsing experience," Google's Chrome browser is launching a new feature that will allow users to stop receiving notifications from websites they have not visited recently. In a blog post, Chrome Product Manager Archit Agarwal notes that "less than 1% of all notifications receive any interaction from users." The "feature will only revoke permissions for sites when there is very low user engagement and a high volume of notifications being sent." Chrome will notify users when notification permissions for a given website have been revoked. The revocation can be re-enabled through Safety Check or by manually restarting notification on the website itself; the notification revocation feature can also be turned off completely. The feature will be introduced in Chrome for Android and desktop, and will not revoke notification permissions for installed web apps. Just over a year ago, Chrome added a feature that allows users to grant websites one-time permissions, which are automatically revoked once users leave the site.

SimonMed Imaging has begun mailing letters to individuals whose protected health data were compromised in a January 2025 incident that began as a breach of a third-party vendor. In documentation filed with the Maine Attorney General's office, SimonMed said the breach affected data belonging to 1,275,669 individuals. SimonMed reported the incident to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) in late Match 2025; at the time, SimonMed provided a placeholder figure of 500 affected individuals and classified the breach as a hacking/IT incident on a network server. According to the initial investigation, the intruders had access to the compromised system from January 21 through February 5, 2025. SimonMed is a medical imaging service provider operating more than 170 imaging facilities in 10 US states.

Prosecutors have recommended restitution of over US$14 million and a sentence of seven years in prison for Matthew Lane, the 19-year-old from Worcester, Massachusetts who in May 2025 pleaded guilty to charges of cyber extortion and aggravated identity theft from two unnamed companies, one US telecommunications company and one "cloud-based software company that helped K-12 schools manage student and teacher data," believed to be PowerSchool. The sentencing memorandum asserts Lane's full consciousness of wrongdoing, noting a pattern of criminal cyber activity dating to 2021 and thorough measures to maintain anonymity including "virtual private networks, eSIMs, anonymized email addresses and phone numbers, stolen credentials, and foreign servers." The memorandum also asserts malice and greed, noting that "the ransom demands included threats to publicly leak the Social Security numbers of students as young as five years old and warned of the harms that would come to [PowerSchool], including the message: 'Final note, we fully intend to destroy your company and bankrupt it to the point of no absolute return if the [30 bitcoin, approximately US$2.85M] ransom is not paid.'" The telecom company's losses totaled US$59,822.43, including "ransom payment as well as fees for a cyber security negotiator, cyber security consultant, and legal services.' PowerSchool's losses totaled US$14,015,718.15, including "ransom payment and the cost to provide identity theft protection services for the students and teachers affected." Lane's sentencing hearing will take place on October 14.