Microsoft Mitigates Exploited Critical WSUS Vulnerability; AWS Outage Report; New Firefox Extensions Must Disclose Data Practices

Late last week, Microsoft released an unscheduled update to address a critical deserialization of untrusted data vulnerability in Windows Server Update Service (WSUS) (CVE-2025-59287). An earlier update did not fully mitigate the existing issue, which affects Windows Server 2012, 2016, 2019, 2022, and 2025, and the vulnerability has been actively exploited. On Friday, October 24, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog with a mitigation deadline of November 14, 2025 for Federal Civilian Executive Branch (FCEB) agencies. CISA advises taking the following steps: "1. Identify servers that are currently configured to be vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to 8530/8531) for priority mitigation. 2. Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until after your organization has installed the update. 3. Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation."

Amazon has published a post-event summary of the AWS outage that impacted the US-EAST-1 region data center on Monday, October 20, 2025, disrupting sites and online services worldwide. Beginning at 2:48 a.m. EDT, there were increased API error rates in DynamoDB; later in the morning the Network Load Balancer (NLB) experienced increased connection errors, EC2 instance launches were failing, and "customers experienced API errors and latencies for Lambda functions." Amazon has determined that "The incident was triggered by a latent defect within the service’s automated DNS management system that caused endpoint resolution failures for DynamoDB." The failure was caused by "a latent race condition in the DynamoDB DNS management system that resulted in an incorrect empty DNS record for the service’s regional endpoint," which triggered cascading disruptions to NLB service, EC2 launches, and Lambda functions. As WIRED writes, "the system was straining under the weight of a backlog of requests." Amazon resolved the outage after nearly 16 hours. The faulty DNS planner and enactor automation that experienced the race condition has been disabled while Amazon fixes the issue and adds additional protections and mechanisms for control and throttling, looking also for "ways to avoid impact from a similar event in the future, and how to further reduce time to recovery."

Mozilla has announced a new policy requiring Firefox extensions to disclose whether they collect and/or transmit personal data. Starting Monday, November 3, 2025, "all new Firefox extensions will be required to specify if they collect or transmit personal data in their manifest.json file using the browser_specific_settings.gecko.data_collection_permissions key." While the requirement applies only to new extensions at first, the policy will be rolled out to all extensions during the first half of 2026. Mozilla notes that "extensions that do not collect or transmit any personal data are required to specify this by setting the none required data collection permission in this property." The data gathering and sharing information will be displayed in the installation dialog along with the extension's permissions.

QNAP has published a security advisory describing the how a critical ASP.NET Core vulnerability (CVE-2025-55315) recently disclosed by Microsoft may affect QNAP's NetBak PC Agent, which "installs and depends on Microsoft ASP.NET Core components during setup." QNAP urges users to make sure they have installed the most up-to-date version of ASP.NET Core on their Windows systems. CVE-2025-55315 is a security bypass issue that was detected in the Kestrel ASP.NET Core web server, and "allows an authorized attacker to bypass a security feature over a network" via "HTTP Request/Response Smuggling." In mid-October Microsoft addressed the vulnerability, which has the highest known severity rating for an ASP.NET Core vulnerability.

Researchers at iVerify have observed that iOS 26 purges evidence of Pegasus and Predator spyware infections due to the way the shutdown.log file is managed. iVerify writes, "For years, the shutdown.log file has been an invaluable, yet often overlooked, artifact in the detection of iOS malware. Located within the Sysdiagnoses in the Unified Logs section (specifically, Sysdiagnose Folder -> system_logs.logarchive -> Extra -> shutdown.log), it has served as a silent witness to the activities occurring on an iOS device, even during its shutdown sequence." Certain types of spyware have been found to leave "subtle traces" in this file, which then serves as an indicator of compromise. With the introduction of iOS 26, the operating system now overwrites the shutdown.log file on every device reboot. Earlier versions of iOS appended new entries, preserving older data.

Wordfence says that on October 8 and 9, 2025, it blocked 8.7 million attempts to exploit known critical vulnerabilities affecting the GutenKit and Hunk Companion WordPress plugins. The vulnerabilities, CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, can all be exploited to achieve remote code execution. CVE-2024-9234, "a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint)" issue, allows arbitrary file uploads; it affects the GutenKit plugin up through version 2.1.0. CVE-2024-9707 and CVE-2024-11972 are missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint issues that could lead to unauthorized plugin installation/activation in the Hunk Companion WordPress plugin. CVE-2024-9707 affects Hunk Companion up through version 1.8.4; CVE-2024-11972 affects Hunk Companion up through version 1.8.5. Users are urged to update to the most recent version of both the GutenKit and Hunk Companion plugins, which have 40,000 and 8,000 active installations, respectively.

On Saturday, October 25, 2025, officials from 72 countries signed the United Nations Convention against Cybercrime, a treaty first proposed by Russia in 2017 to succeed 2001's Budapest Convention, and adopted by the UN in December 2024. The Convention's stated scope is "to prevent and combat the offences established by the Convention, recover the proceeds of these offences, and strengthen international cooperation, particularly in sharing electronic evidence across borders for both Convention-related offences and for other serious crimes.” The Convention enumerates and criminalizes ten types of cyber-dependent and cyber-enabled conduct; it requires establishment of jurisdiction and cooperation among signatory States; it mandates that States "empower their authorities to rapidly secure and obtain electronic data for any criminal investigation" provided that "law enforcement officers must respect fundamental human rights;" it establishes frameworks for investigative assistance, data acquisition, and information sharing between States; it requires a variety of "preventive measures" across all sectors; and it requires that States report on Convention implementation to a newly-created oversight conference. Tech industry companies and human rights groups have criticized the treaty since its inception, citing potential abuses of broad powers of surveillance, criminalization, and information sharing as threats to human rights without adequate protections, possibly empowering authoritarian governments and putting "security researchers, whistleblowers, activists, … journalists," and vulnerable populations at risk. The US has not signed the Convention, which will only become legally binding 90 days after at least 40 States have "deposit[ed] their instruments of ratification, acceptance, approval or accession."

The International Counter Ransomware Initiative (CRI) has published "Guidance for organisations to build supply chain resilience against ransomware," following the group's 2025 summit. Last year's summit called for insurance companies to stop paying ransom demands. The new supply chain guidance was developed by CRI's policy leads, the UK and Singapore. "The guidance aims to reduce the likelihood of a ransomware incident having a critical effect on an organisation by: a. Raising awareness of the ransomware threat across an organisation’s supply chain; b. Promoting good cyber hygiene to protect supply chains, [and] c. Ensuring supply chain vulnerabilities are factored into an organisation’s risk assessment and decisions, including on procurement." The guidance aims to "improve [organizations’] supply chain security posture against ransomware risks" by understanding the importance of supply chain security; identifying supply chain partners, the level of access those partners have to data, and the partners' security posture; developing a supply chain security strategy and implementation plan; and reviewing and refining their approach to supply chain security. CRI has 61 member countries and six member international organizations.

Swedish electricity transmission system operator Svenska Kraftnäts has confirmed that they suffered a data breach resulting in the theft of information. The organization is investigating what information was compromised. According to a company statement, "the breach involved a limited, external file transfer solution." Svenska Kraftnäts Head of Information Security Cem Göcgoren said the incident did not affect electricity supply. While a group of threat actors has claimed responsibility for the attack, Göcgoren said, “At this time, we are not commenting on perpetrators or motives until we have confirmed information.” The company is working with law enforcement and national cybersecurity authorities on the investigation.