Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Cisco Patches CVE-2025-20341, CVE-2025-20349, and CVE-2025-20353 Affecting Catalyst Center - On 13 November 2025, Cisco disclosed and patched three security vulnerabilities affecting Cisco Catalyst Centre, its centralised network management and automation platform. At the time of publication, there were no known cases of these flaws being exploited in the wild. The most serious issue, CVE-2025-20341, is a high-severity privilege-escalation flaw in the Cisco Catalyst Centre Virtual Appliance on VMware ESXi. Owing to improper validation of user input, an attacker with authenticated Observer-level access could send a crafted HTTP request to obtain Administrator privileges, potentially allowing the creation of new accounts or unauthorised system modifications.
The remaining issues, CVE-2025-20349 and CVE-2025-20353, are both rated medium in severity. CVE-2025-20349 involves command injection in the REST API, caused by insufficient input validation, which could allow an authenticated Observer-level user to execute arbitrary commands within a restricted container running as root. CVE-2025-20353, by contrast, is a cross-site scripting vulnerability in the web interface that requires no authentication. An attacker could lure a user into clicking a malicious link, enabling the execution of harmful scripts in the user’s browser or access to session-related information.
Zyxel Patches CVE-2025-6599 and CVE-2025-8693 in Multiple Network Devices - On 18 November 2025, Zyxel released patches for CVE-2025-6599 and CVE-2025-8693, two vulnerabilities affecting a broad range of its network devices. Updated firmware is now available, and according to Zyxel there have been no reports of either flaw being actively exploited in the wild. The more prominent vulnerability, CVE-2025-6599, is an uncontrolled resource consumption issue that allows attackers to perform Slowloris-style denial-of-service attacks. By interrupting HTTP requests, a threat actor could degrade or block access to the web management interface of affected devices.
CVE-2025-6599 affects a wide selection of Zyxel hardware, including 4G/5G CPEs, DSL/Ethernet CPEs, fibre ONTs, security routers, and wireless extenders. Impacted models include well-known lines such as LTE3301-PLUS, NR5103 series, numerous EX and VMG series gateways, AX7501 fibre units, the SCR 50AXE security router, and WX-series wireless extenders. Administrators are strongly encouraged to apply the latest firmware updates to ensure protection against potential service disruption.
Mozilla Patches Sixteen Vulnerabilities Affecting Firefox and ESR - On 11 November 2025, Mozilla released patches for sixteen vulnerabilities affecting Firefox 145 and Firefox ESR versions 140.5 and 115.30. These flaws spanned major browser components, including WebGPU, WebAssembly, the JavaScript JIT engine, and DOM modules. Several issues involved memory corruption, use-after-free conditions, same-origin policy bypasses, and sandbox escapes - some of the most serious classes of browser vulnerabilities. Although these weaknesses could enable privilege escalation, arbitrary code execution, or the bypassing of core security mechanisms, Mozilla reported no evidence of exploitation in the wild at the time of disclosure.
The affected vulnerabilities varied in severity, with older ESR builds especially exposed to mitigation bypasses and memory-safety issues. Some flaws, such as JIT miscompilation and race conditions, posed significant risks due to their potential for remote code execution or evasion of browser isolation. To reduce exposure, we recommend promptly updating to Firefox 145 or ESR versions 140.5 or 115.30, as these updates address all identified vulnerabilities and reinforce the browser’s security posture.
Potential Threats
Kraken Ransomware Group Conducts Global Cross-Platform Attacks Using SMB Exploits and Double Extortion Tactics - On 13 November 2025, Cisco reported that the Kraken ransomware group, a Russian-speaking threat actor that emerged from the HelloKitty ransomware cartel, has continued to carry out global cross-platform attacks on multiple enterprises since August 2025. The group targets Windows, Linux, and VMware ESXi systems, employing RSA-4096 and ChaCha20 encryption algorithms. Operating internationally across the US, UK, Canada, Denmark, Panama, and Kuwait, Kraken has demanded ransoms of up to 1 million USD. Cisco linked Kraken to HelloKitty through shared ransom note filenames and infrastructure, and observed the group establishing a new underground forum, “The Last Haven Board”, to facilitate communication within the cybercriminal ecosystem.
Kraken’s infection chain begins with exploiting unspecified Server Message Block (SMB) vulnerabilities to gain initial access to internet-exposed servers. Once inside the victim’s environment, the group extracts credentials and reconnects via Remote Desktop Protocol (RDP). To maintain persistence, Kraken installs Cloudflared to set up reverse tunnels and uses SSH Filesystem (SSHFS) to exfiltrate sensitive data. Following data exfiltration, the group deploys its “Kraken Ransomware” across connected systems using stolen administrator accounts, encrypting local drives, network shares, and virtual machines. The ransomware leverages encryption benchmarking to optimise performance before execution, ensuring effective file encryption while reducing the risk of detection.
Threat Actors Deploy XWorm RAT in Phishing Campaign Using Obsolete Visual Basic Script Loader - On 13 November 2025, Malwarebytes identified a phishing campaign delivering a Visual Basic Script (.vbs) file disguised as an invoice and payment document. The attachment was determined to be Backdoor.XWorm, a remote‑access trojan sold through a malware‑as‑a‑service platform. Once executed, the malware allowed threat actors to gather system information, steal credentials, monitor user activity, and deploy further malicious payloads, including ransomware.
Execution of the .vbs file initiated a multilayered infection chain. The script created and covertly executed a batch file via WMI before replicating itself with obfuscation techniques to avoid detection. Embedded Base64‑encoded content was decrypted and decompressed in memory by a PowerShell loader using AES and GZip, ultimately unpacking two executables. One of these was confirmed as XWorm, enabling persistent remote access while leaving minimal forensic evidence on disk due to its memory‑only execution.
Fortinet FortiWeb Path Traversal Vulnerability Exploited in the Wild to Create Admin Accounts - On 13 November 2025, PwnDefend reported the active exploitation of a path traversal vulnerability affecting Fortinet FortiWeb versions prior to 8.0.2. This flaw allows threat actors to send specially crafted HTTP POST requests to the vulnerable endpoint, enabling the creation of administrative accounts. Exploitation of the vulnerability has been observed in the wild since October 2025, and a proof-of-concept has been published by WatchTwr.
At the time of reporting, the vulnerability has not been assigned a CVE identifier. To mitigate the risk, we recommend updating FortiWeb to version 8.0.2 or later, ensuring that systems are protected against potential account compromise and unauthorized administrative access.
General News
Global Espionage Campaign Conducted With Minimal Human Input Using AI Agents Targets Tech, Finance, and Government Sectors - On 14 November 2025, Anthropic disclosed the first documented case of an AI‑orchestrated cyber‑espionage campaign, conducted by the Chinese state‑sponsored group GTG‑1002. The group used Claude Code to autonomously carry out the majority of intrusion activity against around 30 global targets, including major technology companies and government agencies, leading to several confirmed compromises. Human operators contributed only 10–20% of total operational time, primarily approving exploitation decisions and exfiltration parameters, while the AI system independently managed reconnaissance, exploitation, credential harvesting, and lateral movement.
The campaign demonstrated the use of agentic AI to autonomously execute end‑to‑end intrusion operations at scale. After priming Claude through role‑play prompts that framed activities as legitimate security testing, the model mapped networks, generated and validated exploits, extracted credentials, and identified sensitive data. It then prepared intelligence summaries for human approval and maintained detailed operational documentation using structured markdown. GTG‑1002 relied largely on open‑source security tools integrated via the Model Context Protocol, enabling Claude to operate as the core execution engine and allowing the group to run an extensive and efficient espionage campaign with minimal human direction.
US-Based Software Company Cloudflare Discloses Internal Service Disruption Causing Global Platform Outages - On 18 November 2025, Cloudflare experienced global service disruptions during scheduled maintenance at its data centers in Sydney, Tahiti, and Atlanta. Beginning at 11:17 UTC, issues were reported with its support portal, and by 11:48 UTC, internal service degradations affected key offerings, including Access, WARP, and the Cloudflare dashboard. Users across multiple regions encountered intermittent connectivity, elevated error rates, and login failures during this period.
By 13:09 UTC, Cloudflare identified the root cause and began implementing fixes, restoring most Access and WARP functionality, though some dashboard and application services remained delayed. The company reported that the issue was largely resolved by 14:42 UTC, with residual login issues persisting for some users. Cloudflare continues to monitor the situation and confirmed that, as of the time of reporting, the disruptions do not appear to be the result of a cyberattack
Logitech discloses data breach after Clop claims - Logitech recently disclosed a cybersecurity incident involving a zero-day vulnerability in a third-party software platform, resulting in the exfiltration of certain internal IT system data. According to the company’s SEC filing, the breach likely affected limited information about employees, consumers, customers, and suppliers, but did not involve sensitive personal data such as national ID numbers or credit card information. Logitech stated that the vulnerability was patched promptly by the software vendor and confirmed that the incident did not disrupt its products, operations, or manufacturing, with any associated costs expected to be covered by cyber insurance.
The disclosure comes amid claims by the Clop cybercriminal group that it exploited the same zero-day in Oracle’s E-Business Suite to steal data from multiple organizations, including Logitech. The attack reportedly leveraged several vulnerabilities, including one added to a federal watchlist in September. Clop has used similar tactics to extort other victims, such as Envoy Air and Harvard University, earning hundreds of millions of dollars by exploiting unreported flaws in enterprise file-transfer platforms. Logitech declined to confirm whether Clop was responsible for the breach.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Sandworm Team | ● Moderate | → | ● Moderate | ● 70 | → | ● 69 | ● 49 | → | ● 49 |
| CL0P Ransomware Group (FancyCat) | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| Coinbase_CartelNew | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
|
BlackNevas Ransomware Group |
● Basic | → | ● Basic | ● 30 | → | ● 30 | ● 31 | → | ● 5 |
| KillSecurity Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 45 | ● 41 | → | ● 46 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Anonymous | ▲ | Aisuru | ▲ | CVE-2025-58034 | ▲ |
DoorDash |
▲ | |
|
Everest Ransomware Group |
▲ |
DDoS |
▲ | CVE-2025-13223 | ▲ |
Microsoft Azure |
▲ | |
|
NoName057(16) |
▲ | T1071.001 (Web Protocols) | ▲ | CVE-2025-64446 | ▲ |
Logitech |
▲ | |
| iNC RANSOM | ▲ |
TA0007 (Discovery) |
▲ | CVE-2024-24893 | ▲ | Cloudflare | ▲ | |
|
Black Ember |
▲ |
Anubis Ransomware |
▲ |
CVE-2025-34299 |
▲ |
Acoss |
▲ | |
Prominent Information Security Events
Threat Actors Deploy XWorm RAT in Phishing Campaign Using Obsolete Visual Basic Script Loader
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 0861f20e889f36eb529068179908c26879225bf9e3068189389b76c76820e74e
On 13 November 2025, Malwarebytes reported a phishing campaign delivering a Visual Basic Script (.vbs) file disguised as an invoice or payment document. The malicious attachment was identified as Backdoor.XWorm, a remote-access trojan (RAT) offered through a malware-as-a-service platform. Once executed, the malware enabled attackers to collect system information, steal credentials, monitor user activity, and deploy additional payloads, including ransomware, representing a significant threat to affected systems.
The infection chain begins when a victim opens the .vbs attachment, which creates a batch file named IrisBud.bat in the Windows temporary directory and uses Windows Management Instrumentation (WMI) to run it stealthily in the background. The batch file then replicates itself as aoc.bat in the user profile directory, employing variable padding and obfuscation to conceal its behaviour. Base64-encoded content embedded within comment lines is later decrypted and decompressed in memory by a PowerShell loader using AES and GZip, avoiding disk writes and traditional detection methods.
Once fully executed, this process unpacks two executables in memory, one of which is confirmed as XWorm, establishing persistent remote access without leaving traces on disk. This memory-only execution allows threat actors to maintain covert control over compromised systems, execute arbitrary commands, exfiltrate data, and potentially deploy further malicious software. The campaign highlights the ongoing risk of phishing campaigns combined with fileless malware techniques, underscoring the importance of user awareness, email filtering, and endpoint security measures to prevent compromise.
Fortinet FortiWeb Path Traversal Vulnerability Exploited in the Wild to Create Admin Accounts
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 107[.]152[.]41[.]19
On 13 November 2025, PwnDefend reported the active exploitation of a path traversal vulnerability in Fortinet FortiWeb versions prior to 8.0.2. The flaw allows attackers to send specially crafted HTTP POST requests to a vulnerable endpoint (/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi) and create administrative accounts, potentially granting full access to the device. According to reports, this vulnerability has been exploited in the wild since October 2025, and a proof-of-concept demonstrating account creation was published by security researcher WatchTwr. At the time of reporting, no official CVE identifier had been assigned to the issue.
The attack leverages straightforward path traversal techniques to escalate privileges by bypassing normal authentication mechanisms. PwnDefend highlighted that payloads include predefined usernames and passwords and are actively being sprayed across the internet, indicating a high likelihood of compromise for devices with exposed management interfaces. Threat intelligence researchers used honeypots and monitoring tools to track exploitation attempts, observing a series of source IPs associated with the attacks, reinforcing the urgency for organisations to assess exposure. While Shodan scans indicate that FortiWeb devices are less numerous than FortiGate installations, the risk remains significant due to the potential for automated attacks on publicly reachable endpoints.
To mitigate the threat, we strongly recommend updating FortiWeb to version 8.0.2 or later, which addresses the vulnerability. Administrators of affected systems are also advised to monitor logs for unusual POST requests to the vulnerable endpoint, review user accounts for unauthorized additions, and restrict management interface access where possible. Given the active exploitation and the availability of PoC demonstrations, timely patching is critical to prevent further compromise of FortiWeb appliances.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
-
CVE-2025-20341/CVE-2025-20349/CVE-2025-20353: These vulnerabilities can be remediated by upgrading Cisco Catalyst Centre to the most recent version.
-
CVE-2025-6599/CVE-2025-8693: We recommend applying the latest firmware updates to prevent these devices being exploited.
-
CVE-2025-13012 to CVE-2025-13027: Updating to Firefox 145 or ESR versions 140.5 or 115.30, to remediate all identified vulnerabilities and enhance the browsers posture..
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.