Daily Breach Intelligence – 25 November 2025

Overall severity: Critical High-signal only CISO-first view

Headlines Severity: [Critical]

• Nationwide CodeRED emergency alert system crippled by INC Ransom attack, forcing OnSolve to decommission legacy platform and potentially exposing data of millions of US residents —
  source
• Massive ADDA.io breach: ~1.8M users of Indian housing-society app reportedly exposed on hacker forum, including names, phone numbers, email IDs and addresses —
  source
• “Sha1-Hulud: The Second Coming” npm supply-chain worm compromises 800+ packages and tens of thousands of GitHub repos, exfiltrating CI/CD secrets at scale —
  source
• Oracle E-Business Suite zero-day campaign widens as Broadcom joins growing Cl0p-linked victim list across finance, telecom, tech and manufacturing —
  source
• Comcast hit with $1.5M FCC fine after vendor FBCS breach exposed data of ~237k customers, with mandate for stronger third-party security oversight —
  source

What’s New

• Ransomware timing analysis shows attacks clustering on weekends, holidays and during corporate upheavals, leaving identity and critical-infrastructure environments exposed in off-hours —
  source
• Kaspersky and VDC Research estimate ransomware could drive over $18B in losses for global manufacturing in the first three quarters of 2025 —
  source
• US Ivy League universities, including Harvard, face renewed cyberattacks leading to data breaches and mounting class-action lawsuits amid political pressure —
  source
• Comcast–FCC settlement highlights regulators’ expectation that enterprises actively police vendor security, not merely rely on contractual data-protection clauses —
  source

Exploits & CVEs Watchlist [Critical]

• Fortinet FortiWeb WAF: actively exploited OS command-injection and path-traversal flaws (CVE-2025-58034, CVE-2025-64446) allow remote attackers to execute administrative commands via crafted HTTP(S) requests —
  advisory
• Apache Syncope IAM: CVE-2025-65998 design flaw using a hard-coded AES key means attackers with DB access can decrypt all stored user passwords in affected setups —
  advisory
• WordPress W3 Total Cache: CVE-2025-9501 unauthenticated command-injection RCE with public PoC threatens over 1M WordPress sites running vulnerable plugin versions —
  advisory
• Google Chrome / Chromium: CVE-2025-13223 V8 type-confusion zero-day, now in CISA KEV, enables remote code execution via malicious HTML and is confirmed as actively exploited —
  advisory
• NVIDIA Isaac-GR00T robotics: local code-injection flaws CVE-2025-33183 / CVE-2025-33184 allow code execution, privilege escalation and data tampering across all supported platforms —
  advisory

Detections To Run Today [Action Required]

• CI/CD and developer endpoints: hunt for “Sha1-Hulud” npm worm by flagging new or unexpected npm dependencies with preinstall scripts and outbound connections to suspicious GitHub repos named around leaked secrets —
  reference
• Perimeter/WAF logs: search FortiWeb traffic for path-traversal and command-injection patterns targeting CGI handlers consistent with CVE-2025-58034 / CVE-2025-64446 exploitation —
  reference
• Web / WordPress telemetry: detect malicious comments or requests containing W3TC mfunc tags and unexpected eval-like behaviour indicating W3 Total Cache CVE-2025-9501 exploitation —
  reference
• Endpoint / EDR: flag ClickFix-style fake Windows Update lures by correlating non-signed full-screen “Windows Update” processes with recent email/drive downloads and script/loader execution —
  reference
• Windows fleet & IAM: monitor for abnormal runs of Microsoft Update Health Tools and unusual bulk password-decryption or export behaviour in Apache Syncope suggestive of CVE-2025-65998 abuse —
  reference

Control Checks [Recommended]

• Confirm all internet-facing FortiWeb instances are upgraded to vendor-recommended fixed releases for CVE-2025-58034 / CVE-2025-64446 and that legacy appliances are disabled or tightly geofenced —
  reference
• Enforce emergency updates for Chrome and other Chromium-based browsers to versions that remediate CVE-2025-13223, treating KEV listing as a must-patch across all managed endpoints —
  reference
• Inventory WordPress deployments using W3 Total Cache and either upgrade to ≥2.8.13 or temporarily disable the plugin while WAF rules and hardening are applied —
  reference
• Apply Microsoft guidance/mitigations for Update Health Tools RCE (KB4023057), focusing on Intune-managed Windows fleets where the component is widely deployed —
  reference
• For Apache Syncope and NVIDIA Isaac-GR00T users, schedule near-term upgrades and restrict local access paths to limit credential-decryption and code-injection opportunities —
  reference

Third-Party & SaaS Risks [Action Required]

• Map reliance on emergency-notification providers (OnSolve CodeRED-like) and confirm data inventories, IR playbooks and migration options exist before an outage or ransomware incident —
  reference
• For residential/community or property-management apps similar to ADDA.io, reassess PII exposure, minimum-necessary data sharing and monitoring for credential-stuffing into corporate SSO —
  reference
• Review third-party dev platforms and CI/CD services, tightening token scopes and secret storage in light of Sha1-Hulud’s impact on thousands of GitHub repositories —
  reference
• Identify vendors running Oracle E-Business Suite on your behalf and confirm patch status and any exposure to the current Cl0p-attributed campaign —
  reference
• Use the Comcast FCC settlement as a case study to stress-test your vendor-risk program, contract language and right-to-audit around data protection and breach notification —
  reference

Communication Note

• Exec / board brief: short update on CodeRED outage, ADDA.io leak and Sha1-Hulud supply-chain risk with a clear statement of your exposure and remediation status —
  reference
• Developer update: targeted note on npm hygiene, secret rotation and plugin patching in response to Shai-Hulud and W3 Total Cache exploitability —
  reference
• Customer / regulator comms: prepare language that demonstrates proactive third-party oversight, referencing the Comcast–FBCS case as an external benchmark —
  reference
• Sector teams (manufacturing, education, healthcare): share concise summaries of Kaspersky manufacturing loss estimates and Ivy League breach themes to contextualize sector-specific risk —
  reference
• Internal security bulletin: highlight urgent patching priorities (FortiWeb, Chrome, Update Health Tools, Syncope, Isaac-GR00T) and assign accountable owners with ETAs —
  reference

Action Plan

• • Today (D0): Patch FortiWeb, Chrome, Microsoft Update Health Tools, Apache Syncope and any W3 Total Cache deployments on internet-facing paths; disable or geofence where patching lags —
    reference
  • Today (D0): Run focused hunts for Sha1-Hulud npm worm, W3 Total Cache exploitation, ClickFix fake Windows updates and suspicious Isaac-GR00T activity on robotics/OT assets —
    reference
  • Next 48–72 hours (D1–D3): Refresh third-party register for emergency-alert, community, dev/CI-CD and Oracle-based service providers; confirm incident-notification terms and current security posture —
    reference
  • This week (D7): Fold Comcast FCC settlement, Kaspersky manufacturing numbers and Ivy League breach themes into board / risk-committee materials as third-party and sector-risk exemplars —
    reference