Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted cross-victim, which means that your data may have been published as a repository on an unaffiliated GitHub user. This means you might see arbitrary victim's data on your impacted users' repositories as well.
Learn more in our blogs
🐞 High Profile Vulnerabilities
Critical Vulnerability in Grafana Enterprise SCIM Provisioning
On November 19, 2025, Grafana Labs released a critical security update addressing a privilege escalation vulnerability (CVE-2025-41115) in Grafana Enterprise’s SCIM (System for Cross-domain Identity Management) provisioning feature.
This flaw could allow a malicious or compromised SCIM client to impersonate privileged users or escalate privileges under specific configurations. The issue affects Grafana Enterprise versions 12.0.0 through 12.2.1, while Grafana Cloud and Grafana OSS users remain unaffected.
According to Wiz data, 12% of cloud environments have resources vulnerable to CVE-2025-41115.
Learn more here
Critical Vulnerability in Fortinet FortiWeb Exploited in-the-Wild
On November 14, 2025, Fortinet released an advisory stating that they had patched a path confusion vulnerability in their FortiWeb that allowed an unauthenticated attacker execute administrative commands on a system via crafted HTTP/S requests. This vulnerability is being tracked as CVE-2025-64446 and has reportedly been exploited in the wild. CISA warns that widespread exploitation is likely given active attacks, public exploit availability, and the presence of vulnerable internet-facing FortiWeb systems.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-64446.
Learn more here
Cisco ISE Vulnerability Exploited as 0day by APT
Researchers uncovered an APT actor exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems. The vulnerabilities, tracked as CVE-2025-20337 and CVE-2025-5777, were leveraged by the attackers to deploy custom malware. While CVE-2025-5777 (CitrixBleed2) has been previously reported as exploited, the zero-day exploitation of CVE-2025-20337 represents a new development. No indicators of compromise (IOCs) have been published for this activity to date.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here
Container Escape Vulnerabilities in runc
Three high-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881) allow container escape by abusing the handling of /proc file writes. Attackers with control over mount configurations can trigger writes to sensitive kernel interfaces, gaining full host access or causing denial of service. Exploits have been published, increasing the ease and likelihood of exploitation. Updated runc versions patch all three flaws and should be deployed immediately on hosts running containers.
Learn more here
Multiple Vulnerabilities in Fluent Bit Patched
On November 24, 2025 five vulnerabilities in Fluent Bit were released. Fluent Bit is a logging and metrics processor and forwarder that is often used in cloud environments. These vulnerabilities have the potential to enable path traversal, authentication bypass and remote code execution. No evidence has been found of their exploitation in the wild. The vulnerabilities were assigned CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, CVE-2025-12969.
Learn more here
Security incidents & campaigns
Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
Researchers identified a campaign exploiting the disputed Ray vulnerability CVE-2023-48022 to compromise internet-exposed Ray clusters and conscript them into a self-propagating cryptomining and DDoS-capable botnet. The threat actor, tracked as IronErn440, abuses Ray’s unauthenticated Jobs API and orchestration features to perform autonomous cluster-to-cluster propagation, while using LLM-generated payloads to evolve the operation and evade detection.
Learn more here
Salesforce Reports Unusual Activity Related to Gainsight Applications
On November 19th, 2025 Salesforce released a notice that they had detected unusual activity linked to "Gainsight-published applications" that connected to Salesforce. Salesforce has revoked all active access and refresh tokens associated with these applications. The "ShinyHunters" group has claimed to have stolen SalesForce data from multiple companies on Telegram, and Gainsight has since confirmed the breach.
Read more here
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.