Fortinet Fortiweb Flaw Exploited, Patched, Added to CISA KEV; Rust Adoption Yields Android Memory Bug Reduction; Logitech Discloses Data Breach

Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.

New Features This Year:

• CTF-Only Mode – Jump straight into the technical action
• Micro-Challenges – 10–15 min puzzles for quick, festive wins
• Capstones – Longer, deeper challenges to truly level up

Fortinet has fixed a critical (CVSS 9.8) path traversal vulnerability (CVE-2025-64446) in multiple versions of Fortinet FortiWeb web application firewall. The flaw could be exploited "to execute administrative commands on the system via crafted HTTP or HTTPS requests." There have been reports of an actively exploited FortiWeb path traversal flaw for a month. Fortinet has now acknowledged observing active exploits of the vulnerability in the wild; the issue has fixed in FortiWeb 8.0.2. The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to the Known Exploited Vulnerabilities (KEV) catalog on November 14; Federal Civilian Executive Branch (FCEB) agencies have until November 21 to mitigate the issue. CISA says that organizations unable to immediately update to a fixed version of FortiWeb should "disable HTTP or HTTPS for internet-facing interfaces."

Google says that memory safety bugs have dropped below 20 percent of total vulnerabilities in Android due in large part to the adoption of the Rust programming language. According to a blog post by Android's Jeff Vander Stoep, they "adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust's impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one." The blog addresses Google's plan to expand Rust adoption to other elements of the company's software stack, and also details a "near-miss memory safety bug in unsafe Rust."

Logitech has disclosed a cybersecurity incident that resulted in the exfiltration of data. In a filing with the US Securities and Exchange Commission (SEC) as well as an ad hoc announcement as required by Swiss law, the Switzerland-based company writes that it "believes that the unauthorized third party used a zero-day vulnerability in a third-party software platform and copied certain data from the internal IT system. The zero-day vulnerability was patched by Logitech following its release by the software platform vendor." The compromised data likely include employee, customer, and supplier information. While Logitech has not identified the third-party platform it says was breached, ransomware threat actors included Logitech on a list of organizations compromised through vulnerabilities in Oracle E-Business Suite.

French telecommunications company Eurofiber says data were stolen last week during a breach that affected internal company systems. The incident occurred on Thursday, November 13 when attackers exploited a vulnerability in the "ticket management platform used by Eurofiber France and its regional brands (Eurafibre, FullSave, Netiwan, Avelia), as well as the ATE customer portal, which corresponds to Eurofiber France's cloud division operating under the Eurofiber Cloud Infra France brand." The attackers were able to exfiltrate data from the breached systems. The breach did not disrupt Eurofiber operations and appears to have affected only individuals in France; Eurofiber customers in Belgium, Germany, and the Netherlands were not affected.

One day after announcing a legal complaint and request for injunction filed against 25 unnamed maintainers of the "Lighthouse" phishing-as-a-service (PaaS) kit, Google has informed news sources that the criminal enterprise has lost access to its cloud server, apparently due to complaints of malicious activity. Google contends that Lighthouse operations have been effectively shut down. Ford Merrill from SecAlliance reports that "several domains historically associated with Lighthouse infrastructure appear to no longer be resolving to DNS requests at present." Kasey Best, Director of Threat Intelligence at Silent Push, also confirms that "all Lighthouse Telegram channels previously tracked have been deleted or taken down due to Telegram TOS violations." Google is seeking injunctions and damages for harm caused to their reputation when Google brands appear in fraudulent and malicious contexts, such as in Lighthouse's templates for online and SMS phishing.

Amazon Inspector security researchers have detected more than 150,000 malicious npm packages associated with a token farming campaign. What makes this attack different is that instead of injecting malicious code into npm packages, the perpetrators laced the packages with code that allowed them to self-replicate and earn TEA tokens, or rewards for open-source contributions. In late October 2025, "Amazon Inspector security researchers deployed a new detection rule—paired with AI—to identify additional suspicious package patterns in the npm registry. Within days, the system began flagging packages linked to the tea.xyz protocol—a blockchain-based system designed to reward open source developers." On November 8, the Amazon Inspector researchers contacted the Open Source Security Foundation (OpenSSF), with whom they then collaborated "to assign malicious package identifiers (MAL-IDs) and coordinate response."

Akira ransomware is the subject of an updated advisory published jointly by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services, Europol's European Cybercrime Centre (EC3), and partnered cybercrime and security authorities in France, Germany, and the Netherlands. The advisory details up-to-date indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) to equip threat hunters against newly observed attack methods. Akira is known for targeting small and medium-sized businesses, but has also attacked larger organizations across manufacturing, education, IT, healthcare, financial services, and food and agriculture. Notably the threat actor group has now begun encrypting Nutanix Acropolis Hypervisor (AHV) VM disk files, which diverges from their typical compromise of VMware ESXi and Microsoft Hyper-V. The advisory urges organizations to prioritize remediating known exploited vulnerabilities, to enable and enforce phishing-resistant MFA, and to maintain regular backups, including offline backup storage and regular tests of the restoration process.

DoorDash has published an announcement and is emailing affected customers to disclose a data breach detected on October 25, 2025. Upon identifying the incident, the company's response team shut down unauthorized access, began an investigation alongside an external firm, and referred the matter to law enforcement. An employee had been targeted by a social engineering scam, which allowed a third party to gain unauthorized access to data belonging to customers, delivery staff, and merchants. Accessed data vary by individual and may include first and last name, phone number, email address, and physical address; the incident did not involve Social Security numbers, ID numbers, or any financial details. DoorDash has enhanced its security systems for prevention and detection and has "implemented additional training and awareness for [their] employees around various social engineering scams," also providing a call center for inquiries. Affected users and cybersecurity professionals responding on social media express dismay over DoorDash's choice to state in the announcement that "no sensitive information was accessed." Separately, a security researcher recently discovered a method to exploit a budgeting feature in the "DoorDash for Business" platform to send branded emails containing arbitrary HTML from a legitimate company domain (no-reply@doordash[.]com), which could be abused for "zero-barrier, perfect trust phishing." According to BleepingComputer, while the flaw is now patched, the disclosure process was fraught. The researcher alleges that HackerOne and DoorDash neglected the bug report and withheld a bounty, while DoorDash contends that the flaw was out of scope for the bug bounty program and that the researcher's pressure on the company was not ethical despite a 15-month delay. Researchers have reported a nearly identical flaw in Uber’s systems since 2022, with no action taken.

Kubernetes has decided to retire Ingress NGINX. Kubernetes SRC's Tabitha Sable writes that while the Ingress controller has been popular, "the breadth and flexibility of Ingress NGINX has caused maintenance challenges. Changing expectations about cloud native software have also added complications. What were once considered helpful options have sometimes come to be considered serious security flaws, such as the ability to add arbitrary NGINX configuration directives via the ‘snippets’ annotations. Yesterday’s flexibility has become today’s insurmountable technical debt." Ingress NGINX will continue to receive "best-effort maintenance" through March 2026, at which time "there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. The GitHub repositories will be made read-only and left available for reference." Users are encouraged to migrate to alternative ingress controllers.