company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ZeroDay

loading..
loading..
loading..

Zero-Day Vulnerability in Gladinet File-Sharing Software Actively Exploited, No Patch Available

Active attacks exploit Gladinet CentreStack/Triofox zero-day (CVE-2025-11371). No patch available; apply LFI mitigation now.

11-Oct-2025
2 min read

No content available.

Related Articles

loading..

CLOP

Zero Day

Critical Oracle E-Business Suite flaws CVE-2025-61882 and CVE-2025-61884 were ex...

The enterprise software landscape is facing a significant security crisis following the discovery of two critical vulnerabilities in **Oracle E-Business Suite (EBS)**. The situation escalated when a vulnerability patched in early October, **CVE-2025-61882**, was exploited as a zero-day by threat actors linked to the **CL0P extortion group**, leading to a widespread data theft and extortion campaign affecting dozens of organizations . Oracle has since issued another emergency alert for a separate, high-severity flaw, **CVE-2025-61884**, warning that it could allow unauthenticated attackers to access sensitive data. This one-two punch has placed organizations relying on the popular enterprise resource planning platform at severe risk, underscoring the critical need for immediate patching and robust security measures. ## CVE-2025-61882 and CVE-2025-61884 ### Technical Specifications at a Glance The following table breaks down the key characteristics of the two recently disclosed Oracle E-Business Suite vulnerabilities: | **Characteristic** | **CVE-2025-61882** | **CVE-2025-61884** | | :--- | :--- | :--- | | **CVSS v3.1 Score** | 9.8 (Critical) | 7.5 (High) | | **Attack Vector** | Network | Network | | **Authentication Required** | No | No | | **Primary Impact** | Remote Code Execution | Unauthorized Data Access | | **Affected Component** | Oracle Concurrent Processing (BI Publisher Integration) | Oracle Configurator (Runtime UI) | | **Affected Versions** | 12.2.3 through 12.2.14 | 12.2.3 through 12.2.14 | ### Technical Mechanism of Attack The critical vulnerability **CVE-2025-61882** has been the primary vector for the ongoing extortion campaign. Analysis from CrowdStrike and Google Threat Intelligence Group (GTIG) reveals a sophisticated, multi-stage exploit chain. The attack begins with an **authentication bypass**, initiated by a malicious `POST` request to the `/OA_HTML/SyncServlet` endpoint. Once access is gained, the threat actors abuse Oracle's **XML Publisher Template Manager** to achieve code execution. They upload a malicious XSL template into the EBS database, where it is stored in the `XDO_TEMPLATES_B` table . The template's name consistently begins with the prefix `TMP` or `DEF`. The final stage involves triggering the execution of this payload by calling the Template Preview functionality, which executes the embedded commands. This technique allows the attackers to deploy web shells and other malware, establishing persistence and enabling data exfiltration. ## Extortion Campaign: Tactics, Techniques, and Procedures (TTPs) ### CL0P's Mass Exploitation Playbook GTIG and Mandiant have attributed this campaign to a threat actor claiming affiliation with the **CL0P extortion brand**, a group notorious for mass exploitation of zero-day vulnerabilities in managed file transfer systems. The campaign follows a now-familiar playbook: exploit a zero-day, steal victim data, and initiate extortion attempts weeks later. The first known exploitation of CVE-2025-61882 [occurred](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html) as early as **August 9, 2025**, with suspicious activity dating back to July 10, 2025—weeks before a patch was available. The extortion phase began on **September 29, 2025**, when the actor launched a high-volume email campaign to executives at numerous organizations. These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from the victims' Oracle EBS environments and provided limited file listings as proof. The emails directed victims to contact `[email protected]` and `[email protected]`, addresses associated with the CL0P data leak site. ### A Sophisticated Malware Arsenal To maintain control within compromised environments, the threat actors deployed a chain of Java-based implants. These malware families are designed for in-memory execution to avoid detection on disk. Observed payloads include: * **GOLDVEIN.JAVA**: A downloader used to retrieve additional malicious components . * **SAGEGIFT, SAGELEAF, and SAGEWAVE**: A suite of tools that blend dynamic filters and template-based payload delivery through the database, facilitating stealthy operations and data exfiltration. ## A Defender's Guide ### Immediate Patching is Non-Negotiable Oracle has strongly recommended that customers apply the emergency updates for both CVE-2025-61882 and CVE-2025-61884 as soon as possible. [Link to CVE-2025-61884] (https://nvd.nist.gov/vuln/detail/CVE-2025-61884). It is crucial to note that for CVE-2025-61882, the **October 2023 Critical Patch Update is a prerequisite** for applying the new security patch. Organizations should urgently review their patch levels and proceed with updates. Patches are provided for product versions covered under Premier or Extended Support phases. ### Proactive Threat Hunting and Hardening Given that exploitation may have begun months before patches were released, organizations must proactively hunt for signs of compromise. Security researchers and Oracle recommend the following actions: * **Scan for Malicious Templates**: Query the `xdo_templates_vl` database table for templates with names starting with `TMP` or `DEF` followed by 16 random hex characters . * **Monitor for IOCs**: Hunt for network connections to known malicious IPs provided by Oracle, including `200[.]107[.]207[.]26` and `185[.]181[.]60[.]11` . Also, monitor for commands associated with the exploit, such as reverse shell commands . * **Inspect Session Logs**: Investigate suspicious sessions in the `icx_sessions` table, particularly for `UserID 0` (sysadmin) and `UserID 6` (guest) . * **Reduce Attack Surface**: As a temporary measure, consider disabling direct internet access to exposed Oracle EBS services and ensure instances are secured behind a web application firewall (WAF) . ## Escalating Threat to Enterprise Software This incident is part of a dangerous trend where sophisticated threat actors systematically target business-critical software. The CL0P group has repeatedly used this model with great success, having previously exploited zero-days in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. Shifting this playbook to a core enterprise platform like Oracle E-Business Suite, which manages finances, supply chains, and customer relationships for countless organizations, represents an escalation in both ambition and potential impact. The public leaking of a proof-of-concept exploit for [CVE-2025-61882](https://nvd.nist.gov/vuln/detail/CVE-2025-61882) on a Telegram channel on October 3, 2025, has further heightened the threat landscape. This disclosure lowers the barrier to entry for other threat actors, making it likely that attacks will evolve from targeted exploitation to broader, opportunistic campaigns in the near future.

loading..   13-Oct-2025
loading..   5 min read
loading..

WP

Zero Day

Critical WordPress plugin flaw lets hackers takeover any site instantly. Zero-cl...

A critical authentication bypass vulnerability (CVE-2025-5947) has been identified in the Service Finder Bookings WordPress plugin, rated with a CVSS score of 9.8. Active exploitation campaigns have been observed since August 2025, enabling unauthenticated attackers to compromise any user account, including administrative privileges, leading to complete site takeover. ### Key Risk Indicators - **Threat Level:** CRITICAL - **Exploitation Status:** ACTIVE IN WILD - **Patch Availability:** YES (Version 6.1+) - **Response Urgency:** IMMEDIATE ACTION REQUIRED ## VULNERABILITY TECHNICAL SPECIFICATION ### Core Vulnerability Metrics | **Parameter** | **Details** | |--------------|-------------| | **CVE Identifier** | CVE-2025-5947 (Primary), CVE-2025-5948 (Secondary) | | **CVSS Score** | 9.8 (Critical) | | **Vulnerability Type** | Authentication Bypass | | **Attack Vector** | Network (Unauthenticated) | | **Attack Complexity** | Low | | **Privileges Required** | None | | **User Interaction** | None | | **Scope** | Changed | | **Confidentiality Impact** | High | | **Integrity Impact** | High | | **Availability Impact** | High | ### Root Cause Analysis #### Primary Attack Vector (CVE-2025-5947) **Vulnerable Function:** `service_finder_switch_back()` **Root Cause:** Improper validation of user-supplied cookie parameters **Technical Mechanism:** ```php // Vulnerable code pattern (simplified) function service_finder_switch_back() { $user_id = $_COOKIE['switch_user_id']; // No proper validation wp_set_current_user($user_id); // Direct privilege assignment } ``` **Impact:** Allows unauthenticated attackers to specify any user ID and assume that identity. #### Secondary Attack Vector (CVE-2025-5948) **Vulnerable Endpoint:** `claim_business` AJAX action **Root Cause:** Missing authorization checks **Impact:** Enables account takeover through business claim functionality. ## IMPACT ASSESSMENT ### Immediate Risk Profile | **Impact Area** | **Severity** | **Description** | |----------------|--------------|-----------------| | **Privilege Escalation** | Critical | Unauthenticated attackers can become any user | | **Administrative Compromise** | Critical | Full WordPress admin access achievable | | **Data Confidentiality** | High | Access to all user data, including potential PII | | **Data Integrity** | Critical | Modify/delete any content or user data | | **Business Continuity** | High | Complete site takeover and defacement possible | ### Attack Chain Analysis ![attack_chain_analysis.png](https://sb-cms.s3.ap-south-1.amazonaws.com/attack_chain_analysis_bd914df2b5.png) ## REMEDIATION PROTOCOL ### Immediate Response Timeline **CRITICAL ACTIONS (0-24 HOURS)** 1. **IMMEDIATE CONTAINMENT** - Update Service Finder Bookings to version 6.1+ - Alternative: Disable plugin if update not possible - Force logout all users (invalidate sessions) 2. **COMPROMISE ASSESSMENT** - Review user accounts for unauthorized administrators - Check for suspicious plugins/themes - Scan for web shells and backdoors **PRIORITY ACTIONS (24-72 HOURS)** 3. **FORTIFICATION** - Implement WAF rules blocking exploitation attempts - Change all administrative passwords - Enable enhanced logging ### Step-by-Step Remediation Guide #### Phase 1: Emergency Patching ```bash # WordPress CLI command to update plugin wp plugin update service-finder-bookings # Alternative: Disable plugin wp plugin deactivate service-finder-bookings ``` #### Phase 2: Compromise Assessment 1. **User Account Audit** - Review WordPress users table for new admin accounts - Check user registration dates and last login times - Verify administrator email addresses 2. **File System Analysis** - Compare core files with fresh WordPress installation - Scan uploads directory for suspicious PHP files - Check .htaccess for malicious redirects 3. **Database Integrity Check** - Review wp_options for malicious code injections - Check for unauthorized plugin installations - Verify post/content modifications #### Phase 3: Security Hardening 1. **Access Control Reinforcement** - Implement two-factor authentication - Limit login attempts - Restrict admin access by IP 2. **Monitoring Enhancement** - Enable real-time security alerts - Monitor for authentication anomalies - Implement file integrity monitoring ## THREAT INTELLIGENCE INDICATORS ### 4.1 Known Attack Infrastructure | **IP Address** | **First Seen** | **ASN** | **Country** | **Threat Score** | |----------------|----------------|---------|-------------|------------------| | 5.189.221.98 | August 2025 | 51167 | Romania | High | | 185.109.21.157 | August 2025 | 210644 | Russia | High | | 192.121.16.196 | September 2025 | 51167 | Romania | High | | 194.68.32.71 | September 2025 | 197351 | Ukraine | Medium | | 178.125.204.198 | October 2025 | 51548 | Ukraine | Medium | ### Compromise Detection Signatures #### HTTP Request Patterns ```apache # Suspicious request patterns to monitor LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" security # Detection rules for exploitation attempts RewriteCond %{QUERY_STRING} "action=service_finder_switch_back" [NC] RewriteCond %{QUERY_STRING} "user_id=[0-9]+" [NC] RewriteRule .* - [F,L] ``` #### WordPress Log Analysis Queries ```sql -- Check for suspicious user privilege changes SELECT * FROM wp_users WHERE user_registered > '2025-08-01' AND user_level = 10; -- Review user meta for role changes SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%'; ```

loading..   11-Oct-2025
loading..   4 min read
loading..

Data breach

Discord data breach via third-party vendor exposed 70,000 users' government IDs ...

A significant data breach at a third-party customer service provider used by Discord has compromised the sensitive government ID photos of approximately 70,000 users, the company confirmed in an October 9th update. The incident, which occurred on September 20th, underscores the growing vulnerability of user data through supply-chain attacks, even when core platforms remain secure . Hackers, identifying as "Scattered Lapsus$ Hunters (SLH)," gained access to the vendor's support system for 58 hours. While they claim to have exfiltrated 1.6 terabytes of data affecting 5.5 million users, including over 2 million ID photos, Discord has refuted these figures, stating they are "inaccurate" and part of an extortion attempt. The company has refused to pay any ransom. The table below summarizes the compromised and safe data based on Discord's official advisory. | **Data Potentially Exposed** | **Data Confirmed Safe** | | :--- | :--- | | Government ID photos (e.g., driver's licenses, passports) | Full credit card numbers & CVV codes | | User names, Discord usernames, & email addresses | User account passwords | | Messages with customer service agents | Private messages & activity on Discord platforms | | IP addresses & limited billing info (last 4 digits of credit cards) | | ### Third-Party Weak Link The breach did not result from a flaw in Discord's own infrastructure. Still, it was executed by compromising a support agent's account at its third-party customer service provider, identified in some reports as 5CA. This vendor was responsible for handling age-verification appeals, a process that requires users to submit highly sensitive government identification. This incident exemplifies a **supply-chain attack**, where cybercriminals target a less-secure partner to bypass the primary company's defenses. Discord has since revoked the vendor's access to its ticketing system. ### Age-Verification Debate The exposure of thousands of government IDs has intensified the debate around online age-verification laws. Platforms like Discord are increasingly required by regulations, such as the UK's Online Safety Act, to confirm users' ages, often leading to the collection of highly sensitive documents. Privacy advocates warn that this creates a dangerous precedent. **"Age verification systems are surveillance systems,"** said Maddie Daly of the Electronic Frontier Foundation. She further noted that such systems leave users "highly vulnerable to data breaches and other security harms, as we see time and time again". ### Actionable Guidance for Affected Users Discord is directly notifying impacted users via `[email protected]` and will not use phone calls for this communication. If you receive this notification or have previously contacted Discord support, you should: - Be suspicious of unsolicited emails, calls, or messages that ask for personal information or direct you to click on links . - Ensure any email claiming to be from Discord comes from the `[email protected]` address. - Add an extra layer of security to your Discord account and other critical online accounts. The breach is a stark reminder of the cascading risks posed by third-party vendors. As Nathan Webb, a principal consultant at Acumen Cyber, stated, **"Despite age verification being outsourced, businesses still have an accountability to ensure that data is stored appropriately"**. Discord said it has notified data protection authorities and is working with law enforcement on an ongoing investigation.

loading..   10-Oct-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo

[email protected]

@ Copyright 2025 Secure Blink. All rights reserved.