Weekly Report: New Hacking Techniques and Critical CVEs 7 Oct – 13 Oct 2025

The week of October 7-13, 2025, witnessed an unprecedented escalation in cybersecurity threats, marked by the active exploitation of critical zero-day vulnerabilities and sophisticated ransomware campaigns targeting enterprise infrastructure. Seven major incidents dominated the threat landscape, with particular focus on Oracle E-Business Suite and Redis vulnerabilities being exploited by prominent threat actors including Cl0p ransomware group and Storm-1175/Medusa operators.​

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Critical Attack Techniques and CVEs

1. Oracle E-Business Suite Remote Code Execution (CVE-2025-61882)

Incident Date: October 4, 2025 (First exploited August 9, 2025)
CVSS Score: 9.8 (Critical)

Overview

Oracle disclosed CVE-2025-61882, a critical pre-authentication remote code execution vulnerability in Oracle E-Business Suite affecting the BI Publisher Integration component. This zero-day has been actively exploited by the Cl0p ransomware group since August 2025, representing one of the most significant enterprise software vulnerabilities of the year.​

Technical Deep Dive

The vulnerability chains multiple weaknesses to achieve unauthenticated code execution through a sophisticated exploit path:

• Server-Side Request Forgery (SSRF): Initial vector through /OA_HTML/SyncServlet endpoint
• CRLF Injection: Manipulation of HTTP request headers to bypass security controls
• Authentication Bypass: Circumvention of Oracle EBS authentication mechanisms, including administrative account compromise
• Unsafe XSLT Processing: Malicious template upload via /OA_HTML/RF.jsp and /OA_HTML/OA.jsp endpoints for arbitrary code execution

The exploit utilizes Oracle’s XML Publisher Template Manager, uploading malicious XSLT templates that execute system commands when previewed. CrowdStrike analysis reveals the vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14.​

Impact Assessment

• Scale: 570+ potentially vulnerable instances identified by Shadowserver Foundation, with 2,000+ internet-exposed instances detected by Censys​
• Geographic Distribution: Highest concentration in the United States, followed by China
• Proof-of-Concept: Leaked exploit published by Scattered LAPSUS$ Hunters on October 3, 2025, significantly increasing mass exploitation risk​

Takeaway for CISOs

Implement emergency patching protocols for all Oracle EBS instances immediately. Conduct comprehensive threat hunting for indicators of compromise including suspicious XML Publisher activity, unauthorized XSLT template uploads, and anomalous authentication patterns. Network segmentation and access controls should be reviewed for all EBS deployments to minimize attack surface exposure.

2. Redis “RediShell” Remote Code Execution (CVE-2025-49844)

Incident Date: October 3, 2025
CVSS Score: 10.0 (Critical)

Overview

Wiz Security disclosed CVE-2025-49844, dubbed “RediShell,” a 13-year-old use-after-free vulnerability in Redis’s Lua scripting engine affecting all Redis versions with Lua scripting capabilities. The vulnerability enables authenticated attackers to escape the Lua sandbox and achieve arbitrary code execution on the underlying host system.​

Technical Analysis

The vulnerability exploits Redis’s garbage collector through specially crafted Lua scripts:

• Use-After-Free Bug: Memory corruption in Lua scripting engine dating back to 2012
• Sandbox Escape: Circumvention of Redis Lua environment restrictions
• Host System Compromise: Full remote code execution on underlying infrastructure
• Persistent Access: Capability to establish reverse shells and maintain system access

Risk Exposure

• Exposed Instances: 330,000 Redis servers exposed to internet globally
• Unauthenticated Access: 60,000 instances without authentication protection
• Cloud Impact: 75% of cloud environments utilize Redis infrastructure​

Takeaway for CISOs

Prioritize immediate Redis updates across all environments. Implement Redis authentication mechanisms, disable unnecessary Lua scripting for untrusted users, and deploy network access controls. Monitor for anomalous Lua script execution and establish behavioral baselines for Redis operations.

3. GoAnywhere MFT Zero-Day Exploitation (CVE-2025-10035)

Incident Date: September 11, 2025 (Disclosed October 6, 2025)
CVSS Score: 10.0 (Critical)

Overview

Microsoft attributed Storm-1175, a cybercriminal group known for deploying Medusa ransomware, to the exploitation of CVE-2025-10035 in Fortra’s GoAnywhere MFT. The vulnerability allows unauthenticated command injection through a deserialization flaw in the License Servlet.​

Exploitation Timeline

The attack chain demonstrates sophisticated post-exploitation techniques:

1. Initial Access: Exploitation of CVE-2025-10035 through forged license response signatures
2. Persistence: Deployment of SimpleHelp and MeshAgent RMM tools
3. Discovery: Execution of user, network, and system reconnaissance commands
4. Lateral Movement: Utilization of mstsc.exe (Remote Desktop Connection)
5. Command & Control: Establishment of Cloudflare tunnels for C2 communication
6. Data Exfiltration: Implementation of Rclone for data theft
7. Ransomware Deployment: Final stage Medusa ransomware execution​

Impact/Risk

The vulnerability’s impact is amplified by the fact that successful exploitation provides attackers with comprehensive system access, enabling long-term persistence and the deployment of additional tools for lateral movement and malware distribution.​

Takeaway for CISOs

Immediately patch all GoAnywhere MFT instances and conduct forensic analysis for indicators of compromise dating back to September 11, 2025. Implement network segmentation to isolate file transfer services and monitor for anomalous RMM tool deployments and Cloudflare tunnel establishment.

New Hacking Techniques

Unity Engine Argument Injection (CVE-2025-59489)

Incident Date: October 2, 2025
CVSS Score: 8.4 (High)

Unity disclosed a critical vulnerability affecting all Unity applications built with versions from 2017.1 onward, enabling local code execution through argument injection. The vulnerability allows malicious applications to launch Unity games with crafted startup parameters, loading arbitrary libraries and achieving code execution with the same privileges as the target application.​

Technical Mechanism

The vulnerability exploits Unity Runtime’s processing of debugging commands:

• Parameter Injection: Malicious startup parameters including -xrsdk-pre-init-library, -dataFolder, overrideMonoSearchPath, and -monoProfiler
• Library Loading: Arbitrary DLL, SO, or DYLIB file execution based on platform
• Privilege Escalation: Code execution with application-level permissions​

Takeaway for CISOs

Organizations with Unity-based applications should prioritize updates and monitor for unusual application launch patterns. Gaming companies and enterprises using Unity-based training or visualization tools face particular risk.

Advanced Akira Ransomware Techniques

Akira ransomware operators demonstrated enhanced capabilities through their exploitation of SonicWall SSL VPN devices, showcasing evolution in their attack methodology:

• Credential Harvesting: Exploitation of previously exfiltrated credentials from CVE-2024-40766
• Rapid Attack Cycles: Dwell time reduced to as little as 55 minutes from initial access to encryption​
• Infrastructure Rotation: Dynamic VPS-based client infrastructure to evade detection
• Multi-Factor Authentication Bypass: Successful compromise of accounts with OTP MFA enabled​

Underground Intelligence: Threat Actor Landscape Evolution

ShinyHunters-LAPSUS$-Scattered Spider Alliance

The cybercriminal ecosystem witnessed significant consolidation with the formation of the “Trinity of Chaos,” uniting ShinyHunters, LAPSUS$, and Scattered Spider groups under a coordinated ransomware operation. This alliance launched a dedicated data leak site containing 39 compromised organizations, representing a shift toward traditional ransomware business models.​

Key Developments:

• Salesforce Campaign Continuation: Threats to release over 1 billion records from previous voice phishing attacks
• Data Leak Site Launch: “Scattered LAPSUS$ Hunters” platform for victim shaming
• Regulatory Pressure Tactics: Threats to report GDPR violations to European regulators​

Dark Web Forum Activity

Analysis of underground forums revealed increased chatter around:

• Oracle EBS Exploitation: Technical discussions and proof-of-concept sharing following CVE-2025-61882 disclosure
• Redis Attack Frameworks: Development of automated exploitation tools for RediShell vulnerability
• Ransomware Recruitment: Active solicitation for affiliates by established RaaS operators​

The temporary shutdown of BreachForums led to threat actor migration to alternative platforms including DarkForums, which reported 12,767 registered users as of October 2025.​

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial