The spy who sold out.

A former defense contractor is charged with attempting to sell trade secrets to Russia. Researchers uncover critical vulnerabilities in TP-Link routers. Microsoft patches a critical Windows Server Update Service flaw. CISA issues eight new ICS advisories. “Shadow Escape” targets LLMs database connections. Halloween-themed scams spike. Our guest is Chris Inglis, first National Cyber Director, speaking on cybercrime and the upcoming documentary on cyber war, "Midnight in the War Room". WhatsApp’s missing million-dollar exploit.

Today is Friday October 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A former defense contractor is charged with attempting to sell trade secrets to Russia. 

Peter Williams, a former director at the Trenchant division of defense contractor L3Harris Technologies, has been charged with stealing and attempting to sell trade secrets to a buyer in Russia, according to the U.S. Justice Department. Prosecutors allege Williams, a 39-year-old Australian, took seven trade secrets from two unidentified companies between April 2022 and August 2025. He resigned from L3Harris in August and is scheduled for arraignment and plea proceedings on October 29 in Washington federal court. Authorities are seeking $1.3 million in forfeiture, along with luxury goods and cryptocurrency accounts allegedly tied to the theft. L3Harris and Trenchant are not accused of wrongdoing. Trenchant, known for zero-day vulnerability research, supports national security and defense cyber operations.

Russia’s cybercriminal ecosystem is undergoing a major upheaval as law enforcement pressure, political control, and international crackdowns reshape long-standing dynamics. Operation Endgame in 2024 disrupted ransomware and money laundering networks, prompting Russia to make rare domestic arrests—signaling a shift from tolerance to selective enforcement. Leaked communications reveal coordination between cybercriminals and Russian intelligence, blurring the line between crime and statecraft. Within underground forums, mistrust is rising amid scams, infiltration fears, and decentralized operations. At the same time, Western nations are escalating counter-ransomware measures, from payment bans to preemptive cyber strikes. Recorded Future’s Insikt Group concludes that Russia now actively manages cybercriminals, using them as geopolitical tools while balancing external pressure, internal control, and strategic utility.

A major cyberattack on Russia’s agricultural watchdog, Rosselkhoznadzor, this week disrupted food shipments nationwide. The agency said a large-scale distributed denial-of-service, or DDoS, attack hit its VetIS and Saturn tracking systems, paralyzing product certification and logistics for several hours. The Mercury platform, required for electronic veterinary documents, was unavailable, halting deliveries of dairy and baby food products. Authorities deny data compromise and say systems have resumed normal operation, though it’s unclear if full restoration occurred.

Researchers uncover critical vulnerabilities in TP-Link routers. 

Forescout Research’s Vedere Labs discovered two critical vulnerabilities—CVE-2025-7850 and CVE-2025-7851—in TP-Link Omada and Festa VPN routers that enable root access and remote command execution. CVE-2025-7850 is a WireGuard private-key sanitization flaw permitting authenticated OS command injection; CVE-2025-7851 exposes hidden CLI debug functionality that allows root SSH logins. Researchers rooted an ER605v2 by chaining the Web UI injection to recreate a missing debug file, then escalated via the debug backdoor. By analyzing LuCI bytecode variations and protocol implementations they found additional, potentially remote vulnerabilities across TP-Link families; fixes are under coordinated disclosure and expected by Q1 2026. Forescout urges immediate patching, perimeter controls, hardened admin access, and monitoring, and warns that recurring firmware patterns and support features routinely enable rooting across network devices.

Microsoft patches a critical Windows Server Update Service flaw. 

Microsoft issued out-of-band updates to fix a critical Windows Server Update Service, WSUS, remote code execution flaw and warned customers to apply patches immediately.

Tracked as CVE-2025-59287, the vulnerability affects only Windows servers with the WSUS Server Role enabled, can be exploited remotely without user interaction, and allows attackers to run code with SYSTEM privileges, making it potentially wormable between WSUS servers.

Administrators should install the cumulative OOB update and reboot, or temporarily disable WSUS or block inbound ports 8530 and 8531 if patches cannot be applied right away.

CISA issues eight new ICS advisories. 

The Cybersecurity and Infrastructure Security Agency (CISA) issued eight new Industrial Control Systems (ICS) advisories. These cover vulnerabilities affecting control-system products from major vendors including Schneider Electric, Hitachi Energy, Siemens and Delta Electronics. The notices emphasise that operators should review affected devices, apply patches, and follow the vendor-recommended mitigations. CISA urges organisations to prioritise these updates given the critical role of ICS in infrastructure security.  

“Shadow Escape” targets LLMs database connections. 

Researchers at Operant AI have uncovered a new zero-click attack, dubbed “Shadow Escape,” that exploits the Model Context Protocol, or MCP, used to connect large language models like ChatGPT and Gemini to company databases. The flaw allows attackers to hide malicious instructions in ordinary documents, triggering AI assistants to exfiltrate sensitive records—such as Social Security numbers, financial data, and medical files—without user interaction or detection. Because the data theft occurs through legitimate MCP access inside corporate networks, traditional defenses can’t see or stop it. Operant AI warns that trillions of records may already be at risk and urges organizations to audit AI integrations immediately to prevent silent data leaks from trusted internal systems.

Halloween-themed scams spike. 

Bitdefender Labs reports a worldwide spike in Halloween-themed scams between September 15 and October 15 2025, combining fake retail sales, giveaways, crypto offers, and dating lures to trick users. Sixty-three percent of these campaigns were phishing schemes impersonating major brands like Walmart, Amazon, and Home Depot. Most originated from U.S. servers and targeted American consumers. On social media, scammers purchased Meta ads to spread malware disguised as crypto rewards or brand deals. Bitdefender urges caution, advising users to verify links, avoid ad downloads, and treat seasonal “free gifts” with skepticism.

 

WhatsApp’s missing million-dollar exploit. 

Pwn2Own Ireland 2025 had everything—record payouts, routers laid bare, and printers brought to their digital knees. But what really got the crowd talking was what didn’t happen. A researcher known only as Eugene, poised to unveil a $1 million zero-click WhatsApp exploit, pulled out at the last minute. Officially, it was due to “travel complications.” Unofficially, the exploit just wasn’t ready for its close-up. Trend Micro’s Zero Day Initiative said Meta will still get a private peek, while everyone else is left with 73 other zero-days, $1 million in payouts, and a lingering sense of what might’ve been. Sometimes, in cybersecurity as in show business, the biggest headline is the one that never hits the stage.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.