AWS Outage Disrupts Sites and Services Globally; European Authorities Dismantle SIM Farm; What is the Future of the CVE Program?

At 3:11 a.m. EDT on Monday, October 20, 2025, Amazon Web Services (AWS) posted a service health update stating, "We are investigating increased error rates and latencies for multiple AWS services in the US-EAST-1 Region," whose hub is located in northern Virginia. By 5:01 a.m. EDT, AWS confirmed problems with the DNS resolution of the DynamoDB API endpoint in the region, noting that any services and features that rely on US-EAST-1 endpoints may be disrupted. By 6:35 a.m. EDT, "the underlying DNS issue [was] fully mitigated" but many elastic compute cloud (EC2) instance launches continued returning errors, and SQS messages in Lambda queues accumulated into a backlog. AWS worked to mitigate "significant API errors" and network issues through the morning, and by 11:43 a.m. PDT, they found the root cause to be "an underlying internal subsystem responsible for monitoring the health of [AWS] network load balancers." By 4:03 p.m. EDT, AWS reported full recovery from Lambda invocation errors, and by 6:01 p.m. “all AWS services returned to normal operations.” News sources report many major websites and online services down or disrupted as a result, including banks and government sites as well as "McDonald's, DisneyPlus, Snapchat, Signal, Roblox, Verizon, Fortnite, Venmo, Perplexity, Hulu, Duolingo, Perplexity, Reddit, ... Coinbase," Zoom, Signal, WhatsApp, and Alexa and Ring devices. Omdia Chief Analyst Roy Illsley noted to The Register that "US-EAST-1 can cause global issues because many users and services default to using it since it was the first AWS region, even if they are in a different part of the world."

Law enforcement authorities in Europe have arrested seven individuals and dismantled support infrastructure related to a SIM farm. Operation SIMCARTEL involved law enforcement authorities from Austria, Estonia, Finland, and Latvia, Europol and Eurojust, and the Shadowserver Foundation. The criminal endeavor offered cybercrime-as-a-service through SIM cards that allowed the use of phone numbers belonging to other people to create phony social media accounts and conduct criminal campaigns, including "phishing, smishing, extortion, investment fraud, daughter-son scams, and fraudulent calls connected to fake shops and fake bank pages." Those involved in dismantling the operation seized five servers, two websites, 1,200 SIM box devices that were linked to 40,000 SIM cards, and hundreds of thousands of additional SIM cards. Authorities also froze €431,000 (about US$500,642.80) in suspects’ bank accounts and US$333,000 in suspects’ crypto accounts. Five people were arrested in Latvia; two were arrested elsewhere. The Europol story includes pictures from the takedown efforts.

When the US National Institute of Standards and Technology's (NIST's) Common Vulnerability and Exposures (CVE) program "narrowly escaped a sudden demise" amid funding issues earlier this year, organizations with a vested interest in maintaining such a program floated possible alternatives. NIST's CVE program faces two major concerns: an early 2024 funding crisis forced NIST to cut back on the level of metadata they provided for the CVEs, and in April 2025, when it appeared that the program might not have funding at all, it was granted a reprieve in the form of an 11-month contract extension. CyberScoop notes, "Any disruption or uncertainty in the CVE program risks slowing down information sharing among defenders, undermining incident response, and granting attackers the upper hand." In light of that, after the April 2025 scare, several possible alternatives were suggested: "the EUVD, or the European Union Vulnerability Database, organized by the European Union Agency for Cybersecurity (ENISA); the GCVE: Global CVE Allocation System, developed by CIRCL.eu; the Computer Incident Response Center in Luxembourg, and the CVE Foundation, a U.S.-based nonprofit formed to support the CVE program." In early September, the US Cybersecurity and Infrastructure Security Agency (CISA) published its vision for a new CVE program that would "leverage [CISA's] partnerships to ensure better representation from international organizations and governments, academia, vulnerability tool providers, data consumers, security researchers, the operational technology industry, and the open-source community,” and potentially incorporate other changes. In a position paper published on October 8, 2025, the Institute for Security and Technology writes "the CVE Program must evolve. It needs a broader base of funding from governments, philanthropies, and industry. And it needs a new governance structure with representation from non-U.S. governments and voices from across the entire community of CVE Record producers and users. This paper provides recommendations for global policymakers on how to reimagine the CVE Program for the next 25 years. At its core, it provides a policy framework that separates the creation and cataloging of universal vulnerability identifiers from other vulnerability management functions that rely on those identifiers."

Financial services company Prosper, which facilitates peer-to-peer lending, disclosed a data breach on September 2, 2025, which has now been analyzed by Troy Baker's "Have I Been Pwned" (HIBP) data breach aggregator. Prosper's FAQ on the incident states that the company detected and worked quickly to stop unauthorized activity on its systems, strengthened its security measures, engaged a third-party cybersecurity firm to investigate, and contacted law enforcement. Prosper is enhancing its monitoring and security controls, and reviewing security and privacy policies. While operations continue uninterrupted and Prosper found "no evidence of unauthorized access to customer accounts and funds," the company states that "confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data." HIBP states that the breach contained 17.6 million unique email addresses, as well as "Browser user agent details, Credit status information, Dates of birth, Email addresses, Employment statuses, Government issued IDs, Income levels, IP addresses, Names, [and] Physical addresses." Prosper is aware of HIBP's report but is continuing to investigate and has not validated the analysis; the company has provided contact information for questions and will offer free credit monitoring once investigation is complete.

Moxa has released updates to address five vulnerabilities in the company's network security appliances and routers. Three of the vulnerabilities are rated critical: two execution with unnecessary privileges vulnerabilities (CVE-2025-6893 and CVE-2025-6949), and a hard-coded credentials issue (CVE-2025-6950) affecting JSON Web Tokens (JWT), which could lead to "complete system compromise." The other two vulnerabilities are a high-severity incorrect authorization vulnerability (CVE-2025-6892) and a medium-severity execution with unnecessary privileges vulnerability (CVE-2025-6894). The issues affect the following Moxa products: EDR-G9010 Series, EDR-8010 Series, EDF-G1002-BP Series, TN-4900 Series, NAT-102 Series, NAT-108 Series, and OnCell G4302-LTE4 Series. Users are urged to install the most recent firmware updates (v 3.21 or later) as soon as possible.

Wiz Research has published a blog post describing their discovery that over 500 VSCode extension packages contained publicly accessible hardcoded secrets. Wiz found .vsix files from hundreds of publishers that notably contained "AI provider secrets (OpenAI, Gemini, Anthropic, XAI, DeepSeek, HuggingFace, Perplexity); High risk profession platform secrets (AWS, Github, Stripe, Auth0, GCP); [and] Database secrets (MongoDB, Postgres, Supabase)" among others. Over 130 packages contained access tokens for the VSCode Marketplace or OpenVSX Marketplace that authorize updates to an extension, putting the supply chain at risk. Wiz attributes much of this leakage to "the bundling of hidden files, also known as dotfiles," as well as AI configuration, build configuration, and documentation files. Microsoft worked with the researchers to contact affected publishers, revoke all leaked tokens, integrate pre-publishing scans for secrets, block extensions containing verified secrets, and continue to scan for embedded secrets in existing extensions. Wiz recommends VSCode users limit how many extensions they install, review trust criteria for choosing what to install, and consider both the benefits and risks of auto-update; corporate security teams should inventory all IDE extensions, consider implementing a centralized allowlist, and prefer the more thoroughly reviewed VSCode Marketplace over the OpenVSX Marketplace. The researchers also encourage platforms to ensure secrets default to a reasonably short lifetime and have an identifiable structure. Unrelatedly, researchers at Koi have identified a worm that targets VSCode extensions on the OpenVSX marketplace and is still actively spreading. The worm hides malicious code in unprintable Unicode characters and uses a public blockchain for command and control (C2) infrastructure with Google Calendar as a backup. The malware turns an infected system into a SOCKS proxy server and propagates through the developer ecosystem, stealing and exploiting credentials and tokens to compromise extensions in npm, GitHub, OpenVSX, Git, and others, as well as targeting cryptocurrency wallets. Koi has published indicators of compromise (IoCs), warning that some extensions are still actively distributing malware.

On Monday, October 20, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added five CVEs to the Known Exploited Vulnerabilities (KEV) catalog: a high-severity server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator in Oracle E-Business Suite (CVE-2025-61884); a high-severity improper access control vulnerability in Microsoft Windows SMB Client (CVE-2025-33073); two critical authentication bypass vulnerabilities in Kentico Xperience CMS (CVE-2025-2746 & CVE-2025-2747); and a high-severity, unspecified vulnerability affecting JavaScriptCore in multiple Apple products (CVE-2022-48503). The Oracle CVE was published on October 11, 2025; the Windows SMB CVE was published in June 2025; the Kentico Xperience CMS CVEs were published in March 2025; and the Apple JavaScriptCore CVE was published in August 2023. All the vulnerabilities have mitigation deadlines of November 10, 2025, for Federal Civilian Executive Branch (FCEB) agencies.

Among the updates Microsoft released on Tuesday, October 14, 2025, is a fix for a CVSS 9.9 vulnerability in the Kestrel ASP.NET Core web server, which is reportedly the "highest ever" severity ASP.NET Core vulnerability. The flaw, which is described as an "inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core[,] allows an authorized attacker to bypass a security feature over a network." The flaw can be exploited via a malicious http request and could allow an attacker to view sensitive data, alter file contents on a targeted server, and crash a vulnerable server. Microsoft recommends the following: "If you are running .NET 8 or later install the .NET update from Microsoft Update, then restart your application or reboot the machine; If you are running .NET 2.3 you must update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile your application and redeploy; If you are running a self-contained/single-file application, install the .NET update, recompile your application and redeploy."

In a social media post, Microsoft Threat Intelligence writes, "In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware." Microsoft first detected the suspicious behavior in September 2025. The threat will be blocked on systems where Microsoft Defender Antivirus is fully enabled. Microsoft has shared sample indicators of compromise.

Harvard University in Cambridge, Massachusetts, is the first organization to confirm that they are victims of a cybercrime campaign that exploits vulnerabilities in Oracle E-Business Suite. Harvard says the incident affected "a limited number of parties associated with a small administrative unit," and the university has since patched the vulnerability the attackers exploited. Other confirmed victims include Texas-based Envoy Air and South Africa’s University of the Witwatersrand, Johannesburg. Envoy Air is a subsidiary of American Airlines; it has roughly 20,000 employees and offers regional flight services under the American eagle brand name. Envoy said that "a limited amount of business information and commercial contact details may have been compromised." Google Threat Intelligence Group and Mandiant say "the threat actor(s) exploited what may be CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025."