BMC Daily Cyber News

This is today’s cyber news for November 12th, 2025. A massive credential trove lands in Have I Been Pwned, pushing account takeover risk sharply higher. Microsoft’s monthly patches close sixty-three flaws, including one already exploited in the wild. Triofox is under live attack via a setup-route bypass, SAP fixes hardcoded credentials in SQL Anywhere Monitor, and Samsung’s latest mobile flaw enters the Known Exploited catalog. Ransomware-as-a-service expands with VanHelsing, Synology’s BeeStation faces an unauthenticated zero-day, and Brazil sees WhatsApp-driven bank session hijacking. Rounding out the brief: GootLoader’s stealthy web-font trick and fresh Ivanti Endpoint Manager issues that enable arbitrary file writes.

You’ll hear what changed, why it matters, who is most exposed, and the near-term moves that shrink risk. Leaders get business-impact framing; defenders get plain-English signals to watch and pragmatic steps tied to identity, patching, and endpoint controls. The focus is tight: the Top 10 from today’s newsletter only—no filler. It’s a fast, narrated briefing for students and practitioners alike, available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for November 12th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Have I Been Pwned has added a colossal dataset linked to the Synthient trove, expanding the pool of exposed accounts worldwide. It is nearly two billion records. Attackers will replay leaked email and password pairs at scale across banking, retail, and company portals to quietly seize access. That matters because any reused password can be guessed fast, which turns routine logins into direct losses and customer trust damage. The data is live today, so organizations should check exposures, force resets for hit users, and throttle automated login floods.

Microsoft shipped November security updates that fix sixty three vulnerabilities across Windows and related components, including one flaw already used in real attacks. Patch Tuesday is here. Several issues allow remote code execution, and the presence of an actively exploited bug raises the urgency for domain controllers and internet facing servers. This matters because broad Windows fleets underpin identity and business services, so delay stretches the window for intruders to pry open high value systems. Updates are available now, so teams should stage fast rollouts and watch for odd child processes during patching.

Triofox is under active attack through an authentication bypass that lets intruders reach setup pages and gain system level control. The trick abuses a built in antivirus workflow. Because Triofox brokers file access for remote workers, a single compromise can spread tools and persistence while users keep working as usual. That is important because a quiet foothold near shared files speeds data theft and ransomware staging without tripping obvious alarms. A safe build is available, so apply it quickly, restrict admin routes, and review logs for tool uploads and new tasks.

SAP fixed a maximum severity issue in SQL Anywhere Monitor where hardcoded credentials could grant remote access and command execution. The flaw is simple. When monitoring runs with broad rights or is exposed, baked in logins let attackers pivot into systems that feed critical business processes. This matters because monitoring often touches databases and integrations, so a small miss can become a full environment takeover with little noise. The vendor patch is out, so apply it, rotate any related secrets, and alert on new admin users or shells after service startup.

A vulnerability in Samsung Galaxy devices was exploited in the wild and is now in the Known Exploited Vulnerabilities, K E V, catalog. Bring your own device, B Y O D, complicates fast fixes. Delayed phone updates through carriers or user habits keep exploitable builds in circulation, leaving room for spyware, data theft, or privilege escalation against corporate apps. That matters because unmanaged or lagging phones still touch mail, chat, and files, which turns a mobile flaw into an enterprise doorway. A patch exists, so enforce firmware compliance through mobile device management, M D M, and quarantine non compliant devices until they update.

A new ransomware operation called VanHelsing is courting criminal partners with a slick service model and multi platform payloads. Because the service ships encryptors for Windows, Linux, and virtualized hosts, a single intrusion can cripple endpoints, file servers, and hypervisors together. Operators often steal data before encryption to raise pressure during negotiations and expand the damage if backups fail. Affiliates are already signing up fast. Early chatter and test builds suggest a push for breadth over bespoke targeting, and the campaign appears to be warming up.

Synology BeeStation, a small office and home storage device, has a zero day flaw that lets outsiders run code without logging in. Internet facing boxes are most at risk because port forwarding and quick setup often leave them wide open to scanning. An attacker who lands on the admin interface can plant remote tools, pivot inside the network, and quietly harvest documents. Many boxes are exposed to the internet. Updates are in progress, and defenders should restrict wide area access until fixed builds roll out to every deployed device.

In Brazil, criminals are using a strain dubbed Maverick to hijack active banking sessions tied to WhatsApp Web on desktop browsers. The malware watches for bank pages, then piggybacks on the user’s authenticated state to move money or enroll new payees. Because it rides a real session, many fraud controls treat the activity as normal user behavior, which weakens standard checks. To the bank, the fraud looks normal. Investigations show the campaign is active now, so payment teams should enforce out of band verification for new payees and urgent transfers.

The GootLoader operation has returned with a trick that hides malicious code inside custom web font files on booby trapped WordPress sites. Victims search for business documents, land on convincing pages, and unknowingly run scripts that unpack payloads from the font resources. This blend of search poisoning and stealthy delivery helps operators slip past simple filters while keeping the page content looking legitimate. To most users, the pages look clean. Reports indicate hands on activity often follows quickly, with domain controllers and file servers at risk once the first foothold is gained.

Multiple flaws in Ivanti Endpoint Manager let a logged in user write files to arbitrary locations on managed machines. That primitive becomes privilege escalation when the management agent runs with high rights, letting a low privilege account plant a malicious service. Because enterprises rely on this tool for patching and configuration at scale, exposure spans many systems across business units and regions. At first glance, it looks like routine admin. Patches are available, so teams should move quickly and watch for new services or modified binaries in agent managed paths during rollout.

That’s the BareMetalCyber Daily Brief for November 12th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.