Major Incidents or Breaches

  • Salesforce has confirmed a widespread data theft attack affecting its customers, stating it will not pay ransom to the threat actors. The ShinyHunters group is linked to the exfiltration of over a billion records from Salesforce customers and has launched a data leak site to extort victims.
  • Electronics distributor Avnet disclosed a data breach, noting that stolen data is unreadable without proprietary tools.
  • BK Technologies, a public safety communications firm, reported an IT intrusion and subsequent data theft.
  • CPAP Medical suffered a data breach exposing personal and health information of over 90,000 military patients, troops, veterans, and their families.
  • Discord has warned users of a third-party breach resulting in the theft of names, emails, limited billing information, and some government-ID images.
  • DraftKings notified customers of account breaches following a credential stuffing attack.
  • North Korean hackers have reportedly stolen over $2 billion in cryptocurrency assets in 2025, the largest annual total recorded.
  • Asahi brewery in Japan experienced a ransomware attack that disrupted domestic operations and led to a beer shortage.

Newly Discovered Vulnerabilities

  • Redis disclosed a critical, 13-year-old vulnerability (CVSS 10.0), tracked as “RediShell,” allowing remote code execution under certain conditions. Over 60,000 servers are currently at risk, with more than 300,000 instances exposed globally.
  • FreePBX (CVE-2025-57819) is affected by a code execution vulnerability via its web-based admin interface.
  • Oracle E-Business Suite (EBS) zero-day vulnerability has been exploited by the Clop ransomware gang for data theft since at least early August.
  • The Year 2038 (Y2K38) bug has been highlighted as a vulnerability that could be exploited in ICS and consumer devices well before the date is reached.

Notable Threat Actor Activity

  • Microsoft attributed the exploitation of a critical Fortra GoAnywhere MFT vulnerability to the Storm-1175 threat actor, leading to Medusa ransomware deployment. Exploitation began one week before patches were released and reportedly requires a private key.
  • The Clop ransomware gang exploited a critical Oracle EBS zero-day in data theft operations.
  • BatShadow, a Vietnamese threat actor, is using a new Go-based malware (“Vampire Bot”) targeting job seekers and digital marketing professionals via social engineering.
  • OpenAI disrupted three clusters of activity by Russian, North Korean, and Chinese threat actors misusing ChatGPT for malware development.
  • Security research exposed BIETA and CIII, Beijing-based research institutes, as developers and suppliers of technology supporting Chinese intelligence and military cyber operations.

Trends, Tools, or Tactics of Interest

  • Microsoft reported a new phishing campaign leveraging AI tools to obfuscate payloads and evade detection.
  • Researchers observed an uptick in spam and malicious emails using hidden content to bypass security filters.
  • XWorm 6.0 malware has emerged with over 35 plugins, enhancing its data theft and modular attack capabilities.
  • AI is identified as the leading data exfiltration channel in enterprise environments, according to new research.
  • Security teams are adopting AI-powered breach and attack simulation tools to rapidly test and validate defences against emerging threats.
  • Google DeepMind announced “CodeMender,” an AI agent that detects, patches, and rewrites vulnerable code.
  • AI-assisted penetration testing is now mainstream, with 70% of surveyed security researchers using AI tools, as reported by HackerOne.
  • Google launched an AI Vulnerability Reward Program, offering up to $30,000 for reported AI system flaws.
  • Google decided not to patch a new ASCII smuggling attack in its Gemini AI assistant, which could be used to manipulate responses or alter model behaviour.

Regulatory or Policy Developments Affecting the Security Industry

  • Docker announced affordable, unlimited access to its Hardened Images catalog for startups and SMBs to support secure development.
  • Microsoft is removing additional methods to bypass Microsoft account requirements in Windows 11 installations.
  • Significant cybersecurity M&A activity was reported in September 2025, with major deals involving Check Point, CrowdStrike, F5, Mitsubishi Electric, and SentinelOne.