Oracle zero-day serves up persistent access.

A critical zero-day in Oracle E-Business Suite is under active exploitation. ICE plans a major expansion of its social media surveillance operations. Discord confirms a third-party data breach. A critical vulnerability in the Unity game engine could allow arbitrary code execution. New variants of the XWorm remote access trojan spread through phishing campaigns. Researchers uncover a critical command injection flaw in Dell UnityVSA storage appliances. There’s been a sharp surge in reconnaissance scans targeting Palo Alto Networks login portals.  A new hacking competition offers $4.5 million in prizes for exploits targeting major cloud and AI software. Monday Business Brief. On our Afternoon Cyber Tea segment with Microsoft’s Ann Johnson, Ann and guest Volker Wagner⁠, Chief Information Security Officer at BASF, share some Lessons from the Frontlines of Industrial Security. Don’t spend that ParkMobile settlement all in one place. 

Today is Monday October 6th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical zero-day in Oracle E-Business Suite is under active exploitation. 

A critical zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882, is being actively exploited after proof-of-concept code was released. The flaw, rated CVSS 9.8 (critical), enables unauthenticated remote code execution over HTTP across versions 12.2.3 through 12.2.14, specifically within the Concurrent Processing BI Publisher Integration component. Attackers are using reverse shell commands to gain persistent access, with observed malicious activity from IPs 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11. Forensic evidence links the exploit toolkit to groups such as Scattered Spider, Lapsus$, and Cl0p. Oracle urges immediate patching, noting only supported systems will receive fixes. Organizations can detect exposure using Nuclei templates or Shodan queries for “OA_HTML.” Continuous monitoring and patch validation are essential to mitigate this active threat.

 ICE plans a major expansion of its social media surveillance operations. 

U.S. Immigration and Customs Enforcement (ICE) is planning a major expansion of its social media surveillance operations, seeking to hire nearly 30 private contractors to monitor platforms such as Facebook, TikTok, and YouTube for intelligence that could inform deportation raids and arrests. According to federal contracting records reviewed by WIRED, the program would operate from ICE’s targeting centers in Vermont and Southern California, running 24/7 and processing cases within hours. Contractors will use open-source intelligence and commercial databases like LexisNexis and CLEAR to assemble digital dossiers. Planning documents also invite proposals incorporating artificial intelligence and automated data collection. Privacy groups, including the ACLU and the Electronic Privacy Information Center, warn that ICE’s growing use of surveillance technologies and data brokers threatens civil liberties and may blur the line between immigration enforcement and political monitoring. ICE has not yet commented on the proposal, which remains in early planning stages.

Discord confirms a third-party data breach. 

Discord has confirmed a data breach affecting users who contacted its support or Trust & Safety teams, after a third-party customer service vendor was compromised. Exposed data includes names, emails, billing details, and in some cases, government ID images. Attackers also accessed IP addresses, messages, and attachments, allegedly seeking ransom. Discord emphasized its own systems were not breached, cut off vendor access, and alerted law enforcement. The company calls the impact “limited,” though it hasn’t disclosed how many users were affected.

A critical vulnerability in the Unity game engine could allow arbitrary code execution. 

A critical vulnerability in the Unity game engine—tracked as CVE-2025-59489—could allow attackers to execute arbitrary code through compromised Unity-built apps, affecting Android, Windows, Linux, and macOS users. The flaw lets malicious files exploit app permissions to access confidential data, though Unity says any code execution remains limited to the app’s privilege level. No active exploitation has been detected, and patches are now available. Microsoft urged users to keep games updated and ensure Defender protection is enabled, while Steam is blocking risky launch parameters. The bug, discovered by researcher RyotaK of GMO Flatt Security, underscores the vast risk tied to Unity’s global footprint, powering major titles like Pokémon GO and Call of Duty: Mobile.

New variants of the XWorm remote access trojan spread through phishing campaigns. 

New variants of the XWorm remote access trojan (RAT) are spreading through phishing campaigns, months after its creator XCoder abandoned the project. Versions 6.0, 6.4, and 6.5 are being adopted by multiple threat actors and now include over 35 modular plugins for data theft, remote control, file encryption, and ransomware. Researchers at Trellix report new infection chains combining social engineering and technical exploits, including malicious JavaScript, Excel macros, and fake executables. The ransomware module, Ransomware.dll, encrypts user files and demands payment via Bitcoin. XWorm’s architecture supports extensive surveillance and credential theft across browsers, email clients, and crypto wallets. Despite its origins as a cracked underground tool, it remains a growing multi-purpose threat across global campaigns, emphasizing the need for layered defenses, EDR monitoring, and strict email filtering.

Researchers uncover a critical command injection flaw in Dell UnityVSA storage appliances. 

Researchers at WatchTowr uncovered a critical command injection flaw in Dell UnityVSA storage appliances, tracked as CVE-2025-36604. The bug allows unauthenticated attackers to execute arbitrary commands by exploiting a flaw in the system’s login redirection logic, where unsanitized URIs are passed into a Perl command string. Affected versions include 5.5 and earlier, with 5.5.1 fixing the issue. Dell rates it high severity (CVSS 7.3), though others call it critical (9.8). Organizations should upgrade immediately.

There’s been a sharp surge in reconnaissance scans targeting Palo Alto Networks login portals. 

Security researchers at GreyNoise report a sharp 500% surge in reconnaissance scans targeting Palo Alto Networks login portals, with activity peaking at 1,300 IPs on October 3 compared to typical volumes below 200. Most scanning originated in the U.S. (91%), and 93% of IPs were flagged as suspicious. GreyNoise noted that similar surges have sometimes preceded new vulnerability disclosures, though no direct link has been established here. The activity mirrors recent spikes in Cisco ASA and other remote access product scans, showing overlapping tooling and TLS fingerprints. The increase underscores continued attacker interest in security appliances, which often serve as high-value network entry points. GreyNoise is continuing to monitor whether this surge signals emerging vulnerabilities or coordinated reconnaissance efforts.

 A new hacking competition offers $4.5 million in prizes for exploits targeting major cloud and AI software. 

Cloud security firm Wiz has launched Zeroday.Cloud, a new hacking competition offering $4.5 million in prizes for exploits targeting major cloud and AI software. Backed by AWS, Google Cloud, and Microsoft, the contest runs live at Black Hat Europe (Dec. 10–11), with entries due Dec. 1. Categories include AI, Kubernetes, containers, web servers, databases, and DevOps tools, with top rewards reaching $300,000 for Nginx exploits. Despite strong industry support, Trend Micro has accused Wiz of copying Pwn2Own rules verbatim.

Monday Business Brief

This week’s Monday Business Brief highlights a surge of mergers, acquisitions, and investments shaping the global AI and cloud landscape. Accenture announced plans to acquire Japan’s Aidemy Inc. to strengthen its LearnVantage service, while HoneyBook bought Fine.dev to expand its AI development capabilities. Harness acquired Qwiet AI to enhance application security, and Taoping finalized a $21.3 million deal for Skyladder Group. Meanwhile, Liatrio purchased SuperOrbital’s IP to merge consulting with advanced training.

On the investment front, Cerebras Systems raised $1.1 billion (valuation $8.1B) to expand AI chip innovation, while Vercel secured $300 million (valuation $9.3B) to scale its AI cloud platform. Other notable rounds include Descope ($88M), Zania ($18M), Mondoo ($17.5M), Gelt ($13M), Longeye ($5M), and Hupside ($1.7M). Clearwater and InOrbit.AI also received undisclosed strategic and Series A funding, respectively.

Ethan Cook is the editor of our CyberWire Pro business brief newsletter. You can learn more and subscribe at thecyberwire dot com. 

 

Up next: What does it really take to defend one of the world’s largest chemical companies?? Guest Volker Wagner joins N2K CyberWire's Afternoon Cyber Tea podcast with Ann Johnson

That's Ann Johnson from her show Afternoon Cyber Tea. Go listen to the full conversation now!

Don’t spend that ParkMobile settlement all in one place. 

After nearly four years and a $32.8 million class-action settlement, ParkMobile has finally compensated victims of its 2021 data breach — to the tune of a whole dollar. Yes, affected users are receiving a $1 in-app credit, dispensed as four dazzling $0.25 discounts, expiring in 2026 (unless you’re in California, where small mercies never expire).

The breach exposed data from 22 million accounts, including names, emails, license plates, and hashed passwords. ParkMobile denied wrongdoing, of course, while urging users to manually claim their reward via a code — P@rkMobile-$1 — because convenience apparently wasn’t part of the settlement.

Adding insult to micro-injury, ParkMobile also warned of fresh phishing scams targeting its customers. So, if you get a text asking for payment, ignore it. Unless it’s your $1 credit, which, let’s face it, you’ve already earned the hard way.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Programming notes: 

One quick note before we wrap up: I’ve been nominated for the SANS Difference Maker Award in the Media Creator of the Year category. I’m honored to be recognized and would appreciate your support. You’ll find the link to vote in our show notes, and voting is open until Wednesday, October 8th at 11:59 p.m. Eastern. Thanks for listening, and for being part of the N2K CyberWire community.

A special edition episode dropped on Sunday, spotlighting the DataTribe Challenge — a launchpad for elite cybersecurity and cyber-adjacent startups ready to break out.

Now entering its 8th year in 2025, the Challenge returns with a new venue and major updates. In this episode, Leo Scott, Managing Director and Chief Innovation Officer at DataTribe, takes us through the event’s evolution, joined by three past winners who share how it accelerated their growth. Listen to the full conversation now wherever you get your podcasts.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.