Podcasts
CyberWire Daily
Ep 2429
The CyberWire Daily Podcast 11.6.25
Ep 2429 | 11.6.25

Stomping out critical bugs.

Show Notes
Transcript

Cisco patches critical vulnerabilities in its Unified Contact Center Express (UCCX) software. CISA lays off 54 employees despite a federal court order halting workforce reductions. Gootloader malware returns. A South Korean telecom is accused of concealing a major malware breach. Russia’s Sandworm launches multiple wiper attacks against Ukraine. China hands out death sentences to scam compound kingpins. My guest is Dr. Sasha O'Connell, Senior Director for Cybersecurity Programs at Aspen Digital. Meta’s moral compass points to profit.

Today is Thursday November 6th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cisco patches two critical vulnerabilities in its Unified Contact Center Express (UCCX) software. 

Cisco has issued patches for two critical vulnerabilities in its Unified Contact Center Express (UCCX) software that could allow remote attackers to gain full control of affected systems. The most severe flaw, tracked as CVE-2025-20354, was found in the platform’s Java Remote Method Invocation process and enables unauthenticated command execution with root privileges. Researcher Jahmel Harris discovered the issue, which Cisco attributed to improper authentication mechanisms. A separate critical flaw in the UCCX Editor app could let attackers bypass authentication and run arbitrary scripts with admin permissions by redirecting login requests to a malicious server. Cisco urges customers to upgrade immediately, though it reports no active exploitation. The company also patched a related high-severity denial-of-service bug in Cisco Identity Services Engine.

CISA lays off 54 employees despite a federal court order halting workforce reductions. 

The Department of Homeland Security is moving forward with layoffs at the Cybersecurity and Infrastructure Security Agency (CISA), despite a federal court order temporarily halting some governmentwide workforce reductions during the shutdown. In a legal filing, Acting Director Madhu Gottumukkala said 54 employees in CISA’s Stakeholder Engagement Division received reduction-in-force notices on October 11, before the injunction was issued. CISA maintains compliance with the order, arguing the affected employees are not represented by unions covered under the ruling. The cuts impact staff in partnership, international, and academic outreach roles. While the injunction bars layoffs in “competitive areas” with union members, CISA contends its planned reductions fall outside that scope. The agency declined to comment further, citing ongoing litigation.

CISA warns of an actively exploited critical command injection flaw in a popular Linux server management tool. 

CISA is warning that attackers are actively exploiting a critical command injection flaw in Control Web Panel (CWP), a popular Linux server management tool formerly known as CentOS Web Panel. Tracked as CVE-2025-48703 with a CVSS score of 9.0, the vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands if they know a valid non-root username. Researcher Maxime Rinaudo found the issue in CWP’s file manager “changePerm” endpoint, which improperly processes unsanitized input through the chmod command. Exploits enable full system compromise, including reverse shells and data exfiltration. All versions before 0.9.8.1205 are affected, and over 220,000 CWP instances are internet-facing. CISA urges immediate patching or restricting access to trusted networks and conducting compromise assessments.

Gootloader malware returns. 

The Gootloader malware operation has resurfaced after a seven-month hiatus, once again using search engine optimization (SEO) poisoning to lure victims to fake sites offering free legal document templates. These sites distribute malicious JavaScript files disguised as templates like “non_disclosure_agreement.js,” which install additional payloads such as Cobalt Strike and backdoors, often leading to ransomware. Researchers from Huntress Labs and the DFIR Report note that Gootloader’s new campaign uses sophisticated evasion tactics, including custom web fonts that disguise malicious code and malformed ZIP archives that extract different files depending on the tool used. The campaign also deploys the Supper SOCKS5 backdoor, linked to the Vanilla Tempest ransomware affiliate. Security experts warn users to avoid downloading templates from unverified websites.

A South Korean telecom is accused of concealing a major malware breach. 

South Korean telecom giant KT is under investigation for allegedly concealing a major malware breach that infected 43 servers with BPFDoor and other malicious code between March and July 2024. Investigators say the compromised systems contained customer data, including names, phone numbers, and device identifiers. The probe also found severe flaws in KT’s femtocell management system, enabling hackers to intercept payment data. Authorities are reviewing legal action and compensation, while KT faces potential obstruction and data protection penalties.

Russia’s Sandworm launches multiple wiper attacks against Ukraine. 

Russian state-sponsored hacking group Sandworm, also known as APT44, has launched multiple destructive data-wiping attacks on Ukraine’s government, education, logistics, energy, and grain sectors, according to cybersecurity firm ESET. The campaigns in June and September 2025 used several wiper variants designed to irreversibly erase data and disrupt operations. ESET says the inclusion of Ukraine’s grain industry—a vital source of national revenue—suggests an intent to damage the country’s wartime economy. Some attacks involved the ZeroLot and Sting wipers, deployed via scheduled Windows tasks after access was gained by threat actor UAC-0099. ESET also noted parallel Iranian-linked wiper activity targeting Israel’s energy and engineering sectors. Experts recommend offline backups and robust endpoint protection to mitigate such destructive threats.

China hands out death sentences to scam compound kingpins. 

A Chinese court has sentenced five members of a Myanmar-based crime syndicate to death for operating massive online fraud and scamming compounds near the China–Myanmar border. The Shenzhen Intermediate People’s Court identified the ringleader, Bai Suocheng, his son Bai Yingcang, and three others as key figures behind the network, which defrauded victims of more than 29 billion yuan (over $4 billion). The Bai family, formerly leading the Kokang Border Guard Force, ran 41 criminal “industrial parks” tied to fraud, kidnapping, and forced prostitution. Beijing launched its crackdown in 2023 after Chinese citizens were targeted, arresting tens of thousands linked to such syndicates. The scam operations also caused at least six deaths, underscoring Myanmar’s central role in global online fraud networks.

 

 

Meta’s moral compass points to profit. 

Meta, it seems, has once again confused “moral compass” with “revenue forecast.” Internal documents unearthed by Reuters show the company expected to earn about 10% of its 2024 revenue — roughly $16 billion — from scam ads and banned goods. That’s right: billions from fake investment schemes, fraudulent e-commerce, and shady medical products that Meta’s own systems flagged as “high risk.” Rather than ban those advertisers outright, Meta often just charged them more — a sort of “fraudster’s surcharge” for the privilege of duping users.

The company’s internal estimate: 15 billion scam ads shown daily. And when victims clicked, Meta’s ad system kindly served them even more. Even as executives congratulated themselves for “reducing scam reports,” internal slides admitted Meta’s platforms had become a pillar of the global fraud economy.

But not to worry — Meta promises it’s “working on it.” Just slowly enough not to upset quarterly earnings.

 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.