Midweek Patch Panic: Oracle’s Zero‑Day, Red Hat’s Repo Raid, and BRICKSTORM in the Walls

This week's threat landscape is urgent: zero-day exploit, repository breach, and a critical backdoor your EDR cannot see. Oracle released an emergency patch. Red Hat has been breached through its Consulting GitLab account. IBM swiftly fixed identity appliances. Talos warns: do not trust unverified files with privileged tools. Ransomware is abusing legitimate RMM agents. NCSC's guidance is clear—log everything, retain those logs, and actively pursue threats. Act fast.

LIVE EXPLOIT ALERT: Oracle ERP RCE (CVE-2025-61882)

UncleSp1d3r: Oracle released a warning about CVE-2025-61882, a bug that lets hackers break into E-Business Suite's processing systems without needing a password. Hackers linked to Cl0p/Graceful Spider are already using it to take control over the internet, drop hidden files, collect data, and export big chunks of your database. According to a report from US-CERT, you should patch your EBS (versions 12.2.3–12.2.14) immediately if it is exposed to the internet, take it offline if possible, and monitor for unusual changes, new user accounts, or unexplained data exports, as inadequate patch management can leave systems vulnerable to cybersecurity threats. Oracle's advisory includes the fixes, and other security groups like CrowdStrike, Rapid7, and Tenable confirm this is happening now. For more information, see their posts.

In simple terms, this is an open door into your ERP system. Patch right away, limit external access, put EBS behind a web application firewall that blocks known exploits, and check the app server for signs of compromise. Treat all nearby credentials as potentially exposed and rotate them after you check the host. If your EBS was online this week, assume it was targeted and respond accordingly. Take 60 seconds: Is your EBS externally reachable right now? This quick self-audit can drive immediate action and protect your system from ongoing threats.

Breach Desk: Red Hat Consulting's GitLab got raided

KryptoKat: Red Hat confirmed that unauthorized access was gained to a self-hosted GitLab instance used by its Consulting group. A group called "Crimson Collective" claims to have stolen about 570 GB of compressed data from around 28,000 private repositories. This could include hundreds, if not thousands, of API keys, database URIs, CI/CD tokens, runner credentials, and Customer Engagement Reports—the kind of information attackers use for lateral movement, extortion, and targeted phishing. Consider a mid-sized organization with dozens of repositories: the potential exposure is significant, including compromised credentials and sensitive configurations. Red Hat is notifying affected customers and investigating the issue. Customers should assume anything in those repositories or CI variables could be exposed and should rotate credentials now. For more details, see Red Hat's incident update and coverage from BleepingComputer, SecurityWeek, The Register, and Check Point.

Top priorities—no delay: inspect repositories and CI variables for secrets, revoke and rotate tokens, mandate password resets and MFA for admins, developers, and service accounts. Scrutinize GitLab access logs, export/download history, runner logs, and token usage. Preserve detailed logs and snapshots for legal review. Watch extortion forums; criminal escalation can be immediate.

Edge and Virtualization: BRICKSTORM lurks where EDR doesn't

KryptoKat: BRICKSTORM is a hidden hacking tool written in Go that UNC5221 uses. According to a CISA alert, the vulnerability allows remote code execution on affected systems, posing a significant risk to both Linux/BSD and Windows environments. The attackers use common web methods to control it and rely on flexible or cloud-based services like sslip.io, nip.io, Cloudflare Workers, and Heroku. They steal account details, use these devices to hide their traffic, make copies of virtual machines for later review, and secretly send data out. Devices like these are good hiding spots because they are rarely checked and often cannot use advanced security tools. Hackers can stay on them for months without being noticed. For more details and helpful resources, see Google Cloud GTIG, NVISO’s technical report, AlienVault OTX pulse, and Mandiant's brickstorm-scanner.

Defensive steps: Send all device logs (network, system, login) to your central log system. Use detection tools from GTIG or Mandiant on the device files and backups. Check servers such as vCenter and ESXi for unexpected changes, added users, or new tasks. Limit which computers can access management networks, and make internet access as strict as possible. Be alert for strange or long-lasting internet connections to the cloud services mentioned above. Treat these devices as very important. Ask yourself, if you lost the device today, would your logs tell you what happened? Forwarding device logs and keeping records helps you find problems and recover after attacks.

Vendor Patch Roundup

KryptoKat: Vendors are racing to patch critical vulnerabilities. IBM issued fixes for severe identity infrastructure flaws: CVE-2025-36354 (unauthenticated command injection) and CVE-2025-36355/36356 (local script execution and privilege escalation), impacting IBM Security Verify Access (10.0.0.0-10.0.9.0) and Verify Identity Access (11.0.0.0-11.0.1.0). Attackers could seize your SSO or proxy; if that happens, they can access everything. Immediately apply Fixpack 10.0.9.0-IF3 (Verify Access) and 11.0.1.0-IF1 (Verify Identity), restrict admin interfaces, enforce MFA, and audit all abnormal activities. See IBM Support, Tenable CVE, and GHSA for urgentdetails.

UncleSp1d3r: Cisco Talos found bugs in programs that handle files from outside sources. CVE-2025-23340 affects NVIDIA’s CUDA tools, letting bad files read out of bounds. Adobe’s CVE-2025-54257 is a bug in Acrobat/Reader that could be misused by broken files. These show supply chain risks since risky files often enter through automated systems. Patch both. Never run these file analysis tools with high privileges on main systems. Open unknown ELF or PDF files in a safe virtual machine with no special access. For details and patches, see the Talos blog, NVIDIA advisory, NVD 23340, NVD 54257, and Adobe APSB25-85.

TTP Watch: Ransomware crews love your RMM

KryptoKat: Human-operated ransomware operators are increasingly abusing legitimate RMM/remote-access tools. Attackers commonly target AnyDesk, Splashtop, ScreenConnect/ConnectWise, TeamViewer, and Atera. Signed agents blend in with normal background activity, appearing legitimate to monitoring systems. With console access or agent credentials, attackers can move laterally, push mass software, deploy scripted payloads, and steal data—often under the guise of typical IT operations, making malicious actions harder to detect. Countermeasures include inventorying and authorizing agents, removing unknown or unused installs, restricting consoles to allow-listed admin networks with MFA, forwarding detailed session logs/recordings to your SIEM, and alerting on RMM-spawned scripting interpreters and unusual file transfer volumes. References: CISA/NSA/MS-ISAC guidance, Microsoft on RMM-enabled intrusions, and recent community discussion on r/blueteamsec.

Guidance to Bank: Observability beats vibes

KryptoKat: The NCSC's recent note—boosted this week in r/blueteamsec—says the quiet part loud and clear: if you can't see it, you can't hunt it. According to a recent analysis of vulnerabilities reported by the Zero Day Initiative, organizations should prioritize collecting and retaining process command lines, DNS and TLS metadata, network flow information, and cloud audit logs for 30 to 90 days, with the period extended for critical systems. It is also important to quickly include CI/CD runners and appliances in your security monitoring strategy. Don't just collect data—actively hunt through relentless purple-team drills with MTTD/MTTR targets, and decisively address any gaps uncovered. Start now: NCSC blog and the community thread. As Captain Sisko might put it: vigilance isn't a basic setting, it's an unceasing posture toward security.

Closing thoughts: If you do nothing else before Friday, patch Oracle EBS. Rotate anything that ever touched your GitLab CI/CD. Include appliance management in your logging processes. The common theme this week is not about advanced techniques—it is about having clear visibility into your environment and responding quickly when issues arise. Detect issues early. Patch as soon as possible. Regularly rotate credentials and tokens.

See you on Sunday. In the meantime, check your CI variables now so that your weekend does not turn into a situation where an attacker gains control of your data. Maintain vigilance by keeping visibility into your environment and responding rapidly to threats.