Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
🔍 Highlights
RediShell: Critical RCE Vulnerability in Redis
Wiz Research discovered a critical RCE vulnerability (CVE-2025-49844) affecting Enterprise and Community versions of Redis, Valkey and managed Cloud services (ElastiCache, MemoryStore, Azure Cache). The flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. Since some distributions of Redis are configured without authentication by default, or use default or weak passwords for authentication, customers are advised to prioritize patching Internet-facing instances of Redis.
According to Wiz data, 63% of cloud environments have resources potentially vulnerable to these vulnerabilities.
Learn more in our blog
🐞 High Profile Vulnerabilities
Critical Account Takeover Vulnerability in better-auth API Keys Plugin
A critical vulnerability in the better-auth API keys plugin (CVE-2025-61928) allows unauthenticated attackers to generate privileged API keys for arbitrary users, enabling full account takeover. The issue stems from improper authorization logic in the createApiKey handler. When a request includes a userId in the JSON body but lacks a session, the plugin incorrectly treats the request as authenticated, fabricates a user object from attacker-controlled input, and skips validation of privileged fields. As a result, an attacker can send an unauthenticated POST request to /api/auth/api-key/create and mint valid API keys for any known or guessable user ID.
According to Wiz data, 1% of cloud environments have resources vulnerable to CVE-2025-61928.
Learn more here
Critical Adobe Commerce and Magento Vulnerability Exploited in-the-Wild
A critical nested-deserialization vulnerability in Adobe Commerce and Magento Open Source, assigned CVE-2025-54236, is being actively exploited in the wild. Researchers report observing exploitation attempts of the vulnerability nicknamed “SessionReaper”, while only ~38% of stores are patched, leaving the majority of instances exposed. Immediate patching or mitigation is advised.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-54236.
Learn more here
Critical WSUS Vulnerability Exploited in-the-Wild
Researchers observed threat actors actively exploiting a deserialization remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS) assigned CVE-2025-59287, against publicly exposed WSUS endpoints (ports 8530/8531). Microsoft released an out-of-band security update on October 23, 2025, organizations with WSUS enabled should apply the update immediately.
Learn more here
Security incidents & campaigns
Cl0p Group Exploits Oracle E-Business Suite Vulnerabilities for Data Extortion
Media reports state that actors purporting to be Cl0p group have been emailing companies stating that their data has been stolen from Oracle E-Business Suite and demanding payment. In an October 1st Bloomberg article, Halcyon, a cybersecurity company responding to a related incident, has stated that the attackers gained access to the data by compromising user emails and abusing the default password-reset function. On October 2nd, Oracle posted a statement on their blog, saying that they are aware of the extortion emails and said that they found the potential use of vulnerabilities patched in their July 2025 Critical Patch Update. This update patched nine vulnerabilities affecting supported versions 12.2.3 - 12.2.13. On October 5th, Oracle disclosed CVE-2025-61882 affecting E-Business Suite, exploited in-the-wild as a 0-day vulnerability.
Learn more here
“Crimson Collective” Claims Breaches of Red Hat and Nintendo
An extortion group calling themselves "Crimson Collective" has claimed to have stolen nearly 570 GB of data from Red Hat's private GitLab repositories. Red Hat confirmed a security incident, and the group claimed to have identified customer secrets in the exfiltrated data. Red Hat has also stated that they have directly notified all affected customers.
Around the same time, Nintendo also confirmed reports of an alleged breach by the same group. Crimson Collective claimed to have accessed Nintendo’s servers and shared images purportedly showing a list of internal development files. However, Nintendo stated that the breach was minimal and limited to servers hosting its websites, asserting that "there has been no leak of development or business information."
Read more here
F5 Security Incident
F5 disclosed a security incident in which a nation-state threat actor maintained persistent access to the company’s internal systems, including its BIG-IP product development and engineering knowledge management environments. The actor exfiltrated source code and information about undisclosed vulnerabilities under development. Although F5 found no evidence of code tampering or compromise of its software supply chain, the incident raised concerns about potential follow-on exploitation and supply chain risks. CISA has issued guidance directing federal agencies to update and harden affected systems immediately.
Learn more here
Espionage Campaign Targeting Windows Server Environments
PassiveNeuron is a cyber-espionage campaign that compromises Internet-facing Windows servers (notably Microsoft SQL-hosting machines) to deploy a multi-stage loader chain and bespoke implants: Neursite (C/C++) and NeuralExecutor (.NET), often alongside Cobalt Strike. Victims include government, financial and industrial organizations across Asia, Africa and Latin America.
Read more here
IIS Backdoor Exploiting Exposed ASP.NET Machine Keys
A Chinese-speaking threat cluster tracked as REF3927 compromises Windows IIS servers by abusing publicly exposed ASP.NET machineKey values to achieve ViewState deserialization RCE. Post-exploitation, the actor deploys a malicious IIS module (named TOLLBOOTH / HijackServer) that cloaks SEO content, exposes a webshell, and provides operator management endpoints. Operations are opportunistic and global (notably geofenced away from mainland China) and include use of Z-Godzilla (Godzilla fork) webshell, GotoHTTP RMM, and a modified “Hidden” rootkit to hide artifacts and persist.
Learn more here
Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏
Listen on Spotify and Apple Podcasts.