Cloudflare Outage Caused by Internal Error; Another Exploited Fortinet Vulnerability Disclosed; PowerSchool Data Breach Accountability Shared by Schools, say Officials

Rally your crew, form a cohort, and jump into the Holiday Hack Challenge, a free, hands-on cybersecurity game packed with real-world challenges, quick micro-missions and epic capstones. The Holiday Hack Challenge is built by the same experts behind SANS Cyber Ranges, offering high-quality, real-world learning in a fun, festive environment.

https://www.sans.org/cyber-ranges/holiday-hack-challenge

Starting at 11:28 UTC on November 18, 2025, websites, services, online platforms, and even critical infrastructure systems supported by Cloudflare's Global Network experienced a widespread outage, which Cloudflare has since traced to an internal error, stating "the issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind." While initial 5xx error HTTP status codes led to speculation about a "hyper-scale" distributed denial-of-service (DDoS) attack, Cloudflare identified within three hours of the incident that the ultimate cause was actually a routine database permissions change. A module that manages bot access to Cloudflare customers' sites receives an updated configuration file every few minutes, generated by a database; an adjustment to database access permissions inadvertently generated this configuration file at twice the expected size, causing the bot management module to crash throughout the Cloudflare network. By 14:30 UTC, Cloudflare deployed a corrected configuration file, and by 17:06 "all downstream services [were] restarted and all operations fully restored." Brian Krebs writes that the challenge of pivoting away from Cloudflare during this incident might be considered, in the words of Nicole Scott, senior product marketing manager at Replica Cyber, "a free tabletop exercise, whether you meant to run one or not." Krebs also cites IANS Research faculty member Aaron Turner's concerns: "Many companies have essentially relied on Cloudflare for the OWASP Top Ten [web application vulnerabilities] and a whole range of bot blocking. How much badness could have happened in that window? Any organization that made that decision needs to look closely at any exposed infrastructure to see if they have someone persisting after they’ve switched back to Cloudflare protections."

Fortinet has disclosed and patched a second actively-exploited vulnerability in FortiWeb in less than a week. Fortinet disclosed the high-severity OS command injection vulnerability, CVE-2025-58034, on Tuesday, November 18. This vulnerability, like the Fortinet FortiWeb flaw disclosed on November 14 (CVE-2025-64446), has been added to the Cybersecurity and Infrastructure Security Agency (CISA's) Known Exploited Vulnerabilities (KEV) catalog, and like the other vulnerability, Federal Civilian Executive Branch (FCEB) agencies have one week to mitigate the flaw; this one must be fixed by Tuesday, November 25.

Canadian provincial governments in Ontario and Alberta have independently published reports on the PowerSchool breach that say affected school systems share responsibility for the lost data with the edtech company. According to the provincial information commissioners' reports, the school systems should have included privacy and security provisions in their contracts with PowerSchool, and should have taken steps to ensure that PowerSchool was employing robust security measures, such as limiting remote access to school data and requiring multi-factor authentication (MFA). The reports also found that the school systems did not have effective breach response plans in place, and that some of the school systems retained data going back several decades. The perpetrator of the December 2024 breach was able to access PowerSchool's systems because the company had not enabled MFA; the breach resulted in the exfiltration of data belonging to 62 million students and 9 million educators.

On Tuesday, November 18, SolarWinds published advisories for five vulnerabilities in their products: three critical flaws in SolarWinds Serv-U and two medium-severity flaws in SolarWinds Observability Self-Hosted. The Serv-U vulnerabilities are a logic error issue (CVE-2025-40547), a missing validation process (CVE-2025-40548), and a path restriction bypass vulnerability (CVE-2025-40549), all of which an attacker with admin privileges could exploit to execute code. The vulnerabilities in SolarWinds Observability Self-Hosted are a cross-site scripting flaw (CVE-2025-26391) and an SQL injection flaw (CVE-2025-40545).

On November 19, 2025, Salesforce published a security advisory disclosing a data breach that took place via applications published by third-party business software company Gainsight, connected to Salesforce and "installed and managed directly by customers." Salesforce immediately revoked all active access and refresh tokens for connected Gainsight applications and also temporarily removed the applications from the Salesforce AppExchange upon discovering unauthorized activity. While the nature and scope of the attack have not been specified, the advisory states that "certain customers' Salesforce data" may have been accessed, and investigation is ongoing. Salesforce emphasizes that they do not believe the attack stemmed from a vulnerability in the Salesforce platform, but rather from "the app's external connection to Salesforce." Gainsight's status website includes brief updates on investigation of "Salesforce Connection failures ... [and] unusual activity that led to the revocation of access tokens for Gainsight-published applications" beginning on November 20. Gainsight's latest update at the time of this writing notes that as a precaution the Gainsight app has been pulled from the Hubspot Marketplace as well, but "no suspicious activity related to Hubspot has been observed."

David Melendez and Gabriela Garcia, founders of TechFrontiers, are cautioning railway systems to mitigate the risk of malicious interference with legacy signaling protocols and beacons, in light of vulnerabilities discovered in their research. Many rail signaling systems worldwide including the European Train Control System (ETCS) and Spain's Anuncio de Señales y Frenado Automático (ASFA) rely on largely unsecured passive transponders called balises as one component of communicating information for safe operation. Mendelez and Garcia were easily able to create a simple copycat balise, which "could have been used to halt a moving train in its tracks, issue false speed commands, or worse." The researchers also noted a lack of physical safeguards preventing existing balises from being disabled or maliciously re-tuned. Additional research addressing the security of more modern complements to the balise system, such as digital systems involved in ETCS, will be reserved for the researchers' presentation at Black Hat 2025, due to the sensitivity of the information. The presenters will offer "recommendations for mitigating these threats, including cryptographic authentication of balise messages, anomaly detection techniques, and real-time verification of beacon authenticity."

European financial supervisory authorities have named 19 technology companies as designated critical information and communication technology third-party providers (CTPPs) for the European Union's (EU's) financial sector. The EU's Digital Operational Resilience Act (DORA), which took effect in January 2025, gives the EU's European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), known collectively as the ESAs, the authority to designate technology providers as critical, and to supervise those entities directly. The designated technology providers include AWS, Google Cloud, and Microsoft. "Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities."

Nearly half of Microsoft's updated "Experimental Agentic Features" article is devoted to underscoring the unique security risks entailed by Agent Workspace and Copilot Actions. Both features are turned off by default and are only available to Windows Insiders, and Microsoft recommends users only enable them if they "understand the security implications." Beginning the "Why Security Matters" section by noting the risk of hallucination, Microsoft goes on to state that AI agents introduce "novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation." Three goals govern Microsoft's security controls for AI agents: non-repudiation of an agent's actions as distinguishable from human user actions; appropriate privacy standards for agents that handle protected user data; and human user approval of agent queries and actions. Additionally, the article lists six security principles to consider for AI agents: 1. Agents are autonomous, vulnerable to attack, and must be properly contained; 2. Agents must produce verifiable logs; 3. Users should have a means to supervise agents' activities in detail and authorize or deny agent requests; 4. "Authorized agent privileges should be granular, specific and time bound," operating with least privilege; 5. System access to an agent should be limited to its owner; and 6. Microsoft and Windows strive to maintain privacy and responsible AI standards.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for mitigating risks from bulletproof hosting providers. The document, which was published jointly with international partners in Australia, Canada, the Netherlands, New Zealand, and the UK, urges "network defenders and ISPs ... to implement the recommendations in this guide, ... includ[ing] conducting traffic analysis, curating a list of “high confidence” malicious internet resources and performing automated and regular reviews of this list. Additionally, to further diminish the effectiveness of BPH infrastructure, ISPs should take specific actions such as notifying customers about malicious internet resource lists and associated filters, creating filters that customers can apply and establish standards and norms for ISP accountability." The US Treasury and counterparts in the UK and Australia have sanctioned a Russian bulletproof hosting provider called Media Land for its alleged support of criminal activity. They have also sanctioned Data Center Kirishi and ML Cloud, organizations related to Media Land.