Recently Patched Oracle Flaw Under Attack

A critical vulnerability in Oracle Identity Manager, recently patched by the vendor, is being actively exploited by attackers, warned the U.S. Cybersecurity and Infrastructure Security Agency.

The vulnerability, tracked as CVE-2025-61757 and rated 9.8 on the CVSS scale, affects OIM versions 12.2.1.4.0 and 14.1.2.1.0 and allows an unauthenticated attacker to remotely execute code through the Oracle REST Web Services component.

Researchers at threat intelligence firm Searchlight Cyber discovered that an attacker can bypass OIM’s authentication checks by appending strings such as ?WSDL or ;.wadl to certain REST endpoints. These force the system to treat restricted interfaces as being publicly accessible.

Once a bypass occurs, the attacker can reach a Groovy script validation endpoint normally intended only for syntax checking, they said. By abusing the way Groovy handles annotation processing, the attacker can execute arbitrary code during compilation, effectively taking control of the server without supplying any credentials.

CISA has added the flaw to its Known Exploited Vulnerabilities Catalog and directed civilian federal agencies to patch the flaw with urgency.

The update from Oracle that patches the flaw is part of a slew of Oracle Fusion Middleware fixes contained in the company’s October Critical Patch Update, which addressed several other remotely exploitable issues.

Security firm Nozomi Networks disclosed a high-severity vulnerability in Shelly Pro 4PM, a smart power relay made by Bulgaria-based Shelly Group and used for both home and commercial automation. An attacker could exploit the flaw to force a device offline, using a single, oversized request.

The vulnerability, tracked as CVE-2025-11243, stems from improper input handling in the relay’s interface for handling a JSON-RPC – or JavaScript Object Notation Remote Procedure Call – which causes the device to reboot immediately when it receives an overly large payload, the researchers said.

The flaw affects roughly 30 API methods, giving an attacker multiple ways to trigger a denial-of-service condition. While the vulnerability does not enable code execution or unauthorized access to device data, a successful exploit could interrupt all connected automation functions, including lighting, HVAC controls and access systems, until the relay gets manually restored.

CISA said it has not received any reports of public exploitation tied to this vulnerability. The agency added that the flaw is not remotely exploitable in its default configuration.

Shelly Group issued version 1.6.0 firmware to fix the flaw, and recommends administrators not only update their devices, but also restrict network exposure of control APIs and isolate automation devices behind firewalls or VPNs.

The U.S. Federal Communications Commission has ordered Comcast Cable Communications to pay a $1.5 million civil penalty after a former vendor’s data breach exposed personally identifiable information for more than 237,000 cable subscribers, according to a consent decree.

The FCC Enforcement Bureau said Friday that the breach occurred between Feb. 14 and Feb. 26, 2024, when a hacker breached Financial Business and Consumer Solutions, a debt-collection vendor that had provided services to Comcast from 2010 until 2022. Although the business relationship had ended, FBCS retained Comcast subscriber PII on its systems at the time of the compromise, the FCC said.

The exposed data included subscriber names, physical addresses, dates of birth, account numbers, internal Comcast IDs, internal FBCS IDs, and full or partial Social Security numbers.

The FCC said Comcast violated Section 631(c) of the Cable Communications Policy Act, which requires cable operators to take “such actions as are necessary to prevent unauthorized access” to subscriber PII, and Section 631(e), which requires destruction of PII when no longer needed for the purpose it was collected.

As part of the settlement, Comcast must implement a three-year compliance plan overseen by a designated compliance officer. The plan requires Comcast to maintain a comprehensive vendor-management program, track all subscriber PII shared with third-party vendors, establish data-retention and destruction obligations, issue a compliance manual to employees and conduct recurring privacy training and audits.

A newly uncovered supply chain attack has been targeting open-source npm – for Node Package Manager, which is the default package manager for the Node.js JavaScript runtime environment – and forcing developers and organizations into emergency cleanup mode.

The fast-moving and “aggressive” campaign, dubbed “Shai-Hulud 2.0,” infiltrated hundreds of open-source npm packages over a three-day window between Friday and Sunday, said researchers at cybersecurity firm Check Point.

Attackers abused the npm preinstall script, which allows their malware to execute even if its installation fails, the researchers warned. The malicious payload, delivered through files such as setup_bun.js and bun_environment.js, uses the rarely monitored Bun runtime to evade standard Node-centric detection tools.

After executing, researchers said the worm will scour the local environment for credentials, including npm tokens, GitHub access keys, cloud-provider credentials – AWS, GCP, Azure and CI/CD secrets, then exfiltrate them to attacker-controlled GitHub repositories. The attacks also involve installing rogue GitHub runners and malicious workflows to maintain persistence.

“Early analysis shows worm-like propagation behavior that automatically infects additional packages maintained by impacted developers. Most critically, we’ve discovered the malware contains a ‘dead man’s switch’ mechanism that threatens to destroy user data if its propagation and exfiltration channels are severed,” said GitLab’s vulnerability research team.

Check Point said in total 621 “trusted or lookalike” npm packages were “either hijacked or maliciously published,” resulting in 25,000 GitHub repositories being compromised, 487 GitHub-using organizations being impacted and more than 14,000 secrets being leaked, of which nearly 2,500 remained valid as of Tuesday.

The incident comes just two months after researchers documented the original Shai-Hulud breach, describing as being one of the most severe JavaScript supply chain attacks ever seen (see: Shai Hulud Burrows Into NPM Repository).

Cybercriminals are ramping up their account takeover schemes, in some cases by posing as bank staff, which has helped facilitate more than $262 million in reported losses so far this year, said the FBI.

The bureau’s Internet Crime Complaint Center on Tuesday warned that it’s received over 5,100 complaints this year linked to schemes in which attackers contact individuals by phone, email or text while claiming to represent financial institutions.

Such ATO scams rely on social engineering, often directing victims to phishing sites designed to resemble legitimate online banking portals, where victims get tricked into disclosing account credentials or multi-factor authentication codes during these interactions, IC3 said.

Once attackers obtain access, they can initiate unauthorized transactions, including transfers to cryptocurrency accounts, and change login information to prevent victims from regaining control of their accounts, it said.

To reach potential victims, the FBI said criminals frequently use spoofed customer service numbers, fraudulent emails and misleading online search results.

Spain’s flag carrier Iberia is investigating a data security incident affecting one of its external service providers.

In a Spanish-language email sent Sunday and later shared on social platform X, Iberia warns that unauthorized access to the vendor’s systems may have exposed customers’ names, email addresses and Iberia Club loyalty identification numbers. The airline said there is no indication that account passwords or full payment card details were compromised, and that it’s running security audits on its own, internal systems as well as working with relevant authorities.

After the email became public, Russia-linked extortion group Everest Group claimed to have directly accessed Iberia’s systems and stolen 596 gigabytes of data, including 430 gigabytes’ worth of .eml which they said contained over five million records. The group also claimed it had long-term access to Iberia’s systems and the ability to view or modify bookings.

Everest’s claims followed an alert from the X account H4ckmanac on Nov. 14 saying that a threat actor was advertising 77 gigabytes of purported internal data from Iberia, including sensitive aircraft documentation, with an asking price of $150,000 in cryptocurrency.

Security researchers are warning that a newly disclosed set of critical vulnerabilities in Fluent Bit, a log processor used across billions of cloud and container environments, could allow attackers to manipulate key components of observability pipelines. Oligo Security, which uncovered the issues, said the flaws involve five specific vulnerabilities: CVE-2025-12969, CVE-2025-12972, CVE-2025-12970, CVE-2025-12978 and CVE-2025-12977.

Fluent Bit is deeply embedded in cloud-native stacks used by major providers, including Amazon Web Services, Google Cloud and Microsoft Azure. That ubiquity, researchers said, turns the five vulnerabilities into a high-impact risk. A threat actor able to abuse the weaknesses could overwrite log files, inject arbitrary telemetry data, reroute logs to unintended destinations, or disrupt how logs are parsed and processed. In some cases, exploitation could lead to remote code execution depending on the deployment configuration.

Fluent Bit maintainers have issued fixes through the release of version 4.1.1.

AWS said it’s “secured all of its internal systems that rely on Fluentbit” by moving to the latest version, and thanked Oligo Security for coordinating its vulnerability disclosure. AWS also advised all customers “running Fluentbit as a workload upgrade” to update to the latest version.

The Campbell’s Company, formerly known as Campbell Soup Company, fired chief information security officer Martin Bally after an audio recording surfaced in which a voice – the company said it believes it’s Bally speaking – is heard making disparaging remarks about Campbell’s products and employees.

The food giant called the comments “vulgar, offensive and false,” and said Bally’s behavior “does not reflect our values and the culture of our company.” The company fired him Tuesday.

Bally’s departure comes after he, employee J.D. Aupperle and Campbell’s itself were named in a lawsuit filed by former cybersecurity analyst Robert Garza, who accused the company of racist conduct, retaliation and a hostile work environment. The complaint, filed Nov. 20 in Michigan’s Wayne County Circuit Court, cites a violation of the state’s Elliott-Larsen Civil Rights Act.

According to the lawsuit, Garza joined Campbell’s in September 2024 and “excelled” in his role. He alleged that during a salary meeting in November 2024, Bally made racist comments about Indian employees and claimed Campbell’s products were “highly processed food for poor people.” Garza also said Bally boasted about coming to work while under the influence of marijuana edibles.

Garza reported the incident to Aupperle – then his manager – in January, but said he received no direction on how to escalate the issue to human resources. Garza said he was fired less than three weeks later, which he alleged was in direct retaliation for raising his concerns.

The lawsuit says Garza suffered stress, humiliation, emotional distress and economic loss, and among other relief, he’s seeking damages and attorney fees.

Other Stories From Last Week

With reporting from Information Security Media Group’s Anviksha More in Mumbai and Mathew Schwartz in Scotland.