RadioCSIRT - English Edition

We open this episode with a new physical mail scam campaign targeting bank customers in France, according to Planet.fr. The modus operandi begins with the receipt of a letter bearing the letterhead of a financial institution and containing a fake bank card equipped with a chip. The document instructs the recipient to scan a QR code to activate the card. This technique, known as “quishing,” redirects the victim to a malicious website designed to exfiltrate personal data and banking details. The phenomenon, already observed in neighboring European countries, is gaining ground in France. The cards display a high leve...

We open this edition with a global overview of the current cyber threat landscape.
The year twenty twenty five confirms a high and persistent level of cyber pressure on organizations, characterized by the convergence of critical technical vulnerabilities, structural dependencies on suppliers, and growing geopolitical tensions. Sector-wide analyses highlight a continuous expansion of attack surfaces, increased exploitation of digital supply chains, and sustained professionalization of malicious actors, whether criminal or state-sponsored.

We then move on to an in-depth analysis of the financial sector, facing a dual structural threat.
Reports from Kaspersky, ENISA, FS-ISAC, and KnowBe4...

We open this episode with a critical vulnerability in n8n reported by Security Online. CVE-2025-68668, with a CVSS score of 9.9, allows an authenticated user to escape the Python sandbox of the automation platform to execute arbitrary system commands, turning the Code Node into a vector for complete host system compromise.

CVEfeed.io reports an uncontrolled DLL loading flaw in AsusSoftwareManagerAgent. CVE-2025-12793, rated 8.5 in CVSS 4.0, exploits an untrusted search path allowing a local attacker to execute arbitrary code through DLL Namespace manipulation.

Clubic covers the disappearance of Anna's Archive's primary domain. The registry...

Welcome to your daily cybersecurity podcast.

We open this edition with an analysis published by FIRST dot org on December 29, 2025, presenting the annual review of vulnerability forecasts for the year 2025. The article, written by Éireann Leverett, confirms the validation of Vuln4Cast project forecasts with 49,183 CVEs published as of December 29, falling within the confidence interval of 41,142 to 49,868 CVEs established in February 2025. The MAPE of 1 point 39 percent against the upper bound demonstrates excellent accuracy of the forecast models.

The quarterly forecasts for Q4 2025 are also validated with 12,359 CVEs published, within the confidence interval of 11,815 to 14,129 CVEs. T...

Welcome to your daily cybersecurity podcast.

We open this edition with several security advisories published by CERT-FR regarding critical vulnerabilities affecting major components of the Linux ecosystem and enterprise environments. The bulletins notably concern Ubuntu, Red Hat, and IBM products, which are exposed to flaws that may allow privilege escalation, arbitrary code execution, or compromise of confidentiality. These vulnerabilities affect widely deployed components in server and cloud infrastructures, highlighting the need for rigorous patch management in critical environments.

We then analyze a vulnerability affecting the Roundcube webmail, referenced as CVE-2025-68461. This flaw allows a...

Welcome to your daily cybersecurity podcast.

We open this edition with a case combining cybercrime and intelligence activities in Eastern Europe. In Georgia, the former head of counterintelligence has been arrested as part of an investigation into large-scale scam centers. Authorities suspect he facilitated or protected structured fraud operations targeting international victims, once again highlighting the convergence of organized crime, corruption, and cyber fraud.

We then analyze a phishing campaign targeting cryptocurrency users through fake emails impersonating Grubhub. The messages promise a tenfold return on cryptocurrency sent by victims. Funds are immediately redirected to attacker-controlled...

Welcome to your daily cybersecurity podcast.

We open this edition with a geopolitical sequence marking a new phase in transatlantic tensions over digital regulation. The United States have imposed visa restrictions on several European figures involved in regulating technology platforms, including Thierry Breton, former European Commissioner. Washington justifies the decision by accusing European regulators of extraterritorial censorship, notably in the enforcement of the Digital Services Act. The European Union condemned the measure and requested formal explanations, citing an attack on its regulatory sovereignty.

We then analyze CVE-2018-25154, a critical buffer overflow vulnerability affecting GNU...

Welcome to your daily cybersecurity podcast.

A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.

MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of...

Welcome to your daily cybersecurity podcast. 

CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.

Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and D...

Welcome to your daily cybersecurity podcast.

Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.

Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified...

Welcome to your daily cybersecurity podcast.

Most newly registered and parked domains are now serving malicious content. Analysis shows an increasing shift of domain parking services toward hosting phishing pages, fake software updates, and redirects to scam infrastructures. These domains are used as short-lived infrastructure to bypass reputation-based defenses and accelerate fraud and malware delivery campaigns.

The Iranian APT group Infy has resurfaced with a new targeted campaign. Operations rely on spear-phishing emails delivering weaponized documents using political and diplomatic lures. Payloads include updated backdoors, Windows registry-based persistence mechanisms, and obfuscated HTTP(S) C2 channels...

Welcome to your daily cybersecurity podcast.

Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.

A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as...

Welcome to your daily cybersecurity podcast.

French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.

WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat...

Welcome to your daily cybersecurity podcast.

The Clop ransomware group, also tracked as Cl0p, is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Ongoing investigations confirm active scanning, successful intrusions, and the placement of extortion notes on compromised systems. The initial access vector remains unidentified, raising the possibility of a zero-day vulnerability or exploitation of unpatched systems. This activity aligns with Clop’s established focus on file sharing and secure file transfer platforms.

CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-20393 affects mu...

Welcome to your daily cybersecurity podcast.

CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.

CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21...

Welcome to your daily cybersecurity podcast.

QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.

A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication...

Welcome to your daily cybersecurity podcast.

Horizon3.ai exposes three critical FreePBX vulnerabilities. The most severe, CVE-2025-66039 scored 9.3, enables complete authentication bypass via simple forged Authorization header. Two additional flaws provide SQL injection and PHP web shell upload for remote code execution. Patches available but require manual CLI configuration and audit of instances exposed before September.

New BreachForums avatar claims major intrusion on French Interior Ministry infrastructure. Actor "Indra" asserts exfiltration of police databases TAJ and FPR with ransom demand under one-week deadline. Place Beauvau confirms email compromise and business application access. Emergency deployment...

Welcome to your daily cybersecurity podcast.

Apple and Google rush to fix actively exploited Zero-Day flaws. CISA has added CVE-2025-14174 to its KEV catalog, flagging a critical memory corruption vulnerability in the Chromium engine that affects Chrome, Edge, and Brave. Simultaneously, Apple has deployed patches for this same flaw alongside CVE-2025-43529, a WebKit Use-After-Free bug. Discovered by Google's Threat Analysis Group, these vulnerabilities are currently leveraged in "extremely sophisticated" attacks allowing Remote Code Execution (RCE) on iPhones, iPads, and macOS devices via malicious web content. Updating to iOS 26.2 and the latest browser versions is mandatory...

Welcome to your daily cybersecurity podcast.

Palo Alto Networks Unit 42 exposes Ashen Lepus, a Hamas-affiliated APT actor active since 2018. The group deploys a new .NET modular malware suite named AshTag, targeting governmental and diplomatic entities across the Middle East with confirmed geographic expansion toward Oman and Morocco. The multi-stage infection chain initiates through Arabic-language PDF lures on Palestinian geopolitical themes. Victims download RAR archives containing a binary that side-loads the AshenLoader loader. The group abandoned its proprietary C2 infrastructure in favor of API and authentication subdomains on legitimate domains like api.healthylifefeed.com, which masks malicious traffic...

Welcome to this special RadioCSIRT cybersecurity briefing.

In this episode, we take an in-depth look at the MITRE Top 25 Common Weakness Enumerations (CWE) for 2025, moving beyond a simple ranking to analyze the structural weaknesses that continue to drive real-world compromises.

This analysis focuses on how recurring flaws such as cross-site scripting, sql injection, missing authorization, memory corruption, and business logic failures remain dominant attack enablers despite years of awareness, tooling, and secure development frameworks.

We examine why these weaknesses persist, how they are actually exploited in production environments, and what they reveal about...

Welcome to your daily cybersecurity podcast.

The Linux kernel 5.4 officially reaches end-of-life. After years of LTS support, this version—massively deployed across Ubuntu, Android, and embedded systems—will no longer receive upstream security patches. This creates a critical risk for industrial and network equipment remaining on this version without a rapid migration path.

Check Point dissects the ValleyRAT backdoor and its kernel-mode rootkit following a public builder leak. The malware features 19 plugins and a digitally signed driver for file hiding and process protection. 85% of detected samples appeared in the last six months, complicating attribution to spec...

Welcome to your daily cybersecurity podcast.

Microsoft refuses to fix a critical RCE vulnerability in the .NET framework affecting the SoapHttpClientProtocol class. Revealed at Black Hat Europe by researcher Piotr Bazydło from WatchTowr, the flaw enables arbitrary file writes through SOAP URL manipulation. Exploitation relies on unexpected support for FILE and FTP protocols by a class designed to handle HTTP only. Confirmed vulnerable products include Ivanti Endpoint Manager, Umbraco 8 CMS, and Barracuda Service Center, but the actual number of affected applications is likely massive.

CERT-FR publishes advisory CERTFR-2025-AVI-1088 concerning four critical vulnerabilities in I...

🚨 CRITICAL ALERT: CISA, FBI, and NSA issue joint advisory AA25-343A on December 9, 2025, warning of active campaigns by four pro-Russia hacktivist groups exploiting VNC vulnerabilities in OT/ICS systems worldwide.

THREAT ACTORS IDENTIFIED:

ATTACK VECTOR:
Mass exploitation of exposed VNC services (ports 5900-5910) with default/weak credentials on HMI devices. Direct SCADA access causing parameter modifications, alarm disabling, and operational disruptions across water, energy, and agriculture sectors.

IMMEDIATE ACTIONS:
S...

Welcome to your daily cybersecurity briefing.

The UK’s NCSC has released critical guidance regarding Generative AI security, warning that treating Prompt Injection like SQL Injection is a dangerous misconception. Unlike traditional databases, LLMs lack a rigid boundary between instructions and data, creating an "Inherently Confusable Deputy" problem. The agency advises that the only effective mitigation is architectural: strictly restricting the privileges of tools accessible by the AI, rather than relying on input filters.

A critical authentication bypass vulnerability has been discovered in the Ruby SAML library. Tracked as CVE-2025-25293, th...

Welcome to your daily cybersecurity briefing.

CERT-FR has issued a security advisory regarding a vulnerability affecting the MISP threat-intelligence platform. Under specific configurations, the flaw may allow unauthorized access to internal components or data. Organizations relying on MISP are strongly encouraged to apply the recommended patches without delay to mitigate potential exploitation.

CERT-FR has also released a warning for iPhone users following the identification of active exploitation campaigns using sophisticated exploit chains capable of achieving remote code execution. Devices lacking the latest security updates are especially vulnerable, highlighting the necessity of rapid patch deployment across...

Welcome to your daily cybersecurity briefing.

The FBI has issued a public service announcement regarding the evolution of "virtual kidnapping" scams, where criminals are now using AI-altered images from social media to fabricate proof-of-life. By manipulating photos to depict physical harm or captivity, threat actors are successfully pressuring families into paying ransoms for loved ones who are actually safe, marking a dangerous shift in extortion tactics.

Threat actors are actively exploiting a command injection vulnerability in Array Networks AG Series VPNs to implant webshells and establish persistence. Critical to note is that while the vendor...

Welcome to your daily cybersecurity briefing.

The Australian Cyber Security Centre has released new guidance for critical infrastructure regarding the secure integration of Artificial Intelligence into Operational Technology environments. This strategic framework aims to help organizations anticipate physical safety risks caused by algorithmic automation in industrial systems.

CERT-FR (ANSSI) has issued a series of security advisories (AVI-1062 to 1067) flagging multiple critical vulnerabilities requiring immediate attention. System administrators are urged to consult the official feed to identify affected products within their fleets and apply corrective measures without delay.

Barts Health NHS Trust has confirmed...

Welcome to your daily cybersecurity briefing.

Cloudflare has attributed today's major service outage to the deployment of an emergency patch intended to mitigate the critical "React2Shell" vulnerability. The incident highlights the delicate balance between security responsiveness and operational stability: the attempt to rapidly mitigate an active flaw resulted in a global software regression, serving as a stark reminder that even the most robust infrastructures remain vulnerable to the side effects of precipitated updates.

CISA has updated its Known Exploited Vulnerabilities (KEV) catalog and simultaneously released technical analysis report AR25-338...

Welcome to your daily cybersecurity briefing.

Russia has blocked access to Apple’s FaceTime platform and Snap’s Snapchat service, citing their alleged use in coordinating terrorist operations, recruiting criminal actors, and facilitating large-scale fraud against Russian citizens. The decision follows a pattern of escalating restrictions targeting foreign communication platforms, including recent bans on Roblox, Viber, and Signal, with WhatsApp now reportedly under consideration for nationwide blocking.

Google has released a critical Chrome update addressing thirteen security issues, four classified as high severity. One of the flaws, CVE-2025-13633, is a use-after-free vulnerability in Chrome’s Digi...

Welcome to your daily cybersecurity briefing.

DeepSeek Releases V3.2 Open Source Model Rivaling GPT-5
The Chinese AI startup DeepSeek has officially released its V3.2 and V3.2-Speciale models under a fully permissive MIT license. Claiming to outperform GPT-5 in reasoning tasks, the release utilizes a novel "Sparse Attention" architecture to maximize efficiency, marking a significant shift in the open-source AI landscape.

CISA Adds Android Framework Flaws to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with two critical flaws affecting the Android Framework. The vulnerabilities, involving privilege escalation and information...

Welcome to your daily cybersecurity briefing.

Raspberry Pi Raises Prices Amid Rising Production Costs
Raspberry Pi has announced a price increase across several models, citing sustained rises in manufacturing and component costs. The company explains that it can no longer absorb global supply chain pressures. The adjustment will particularly impact integrators, IoT builders, and embedded system deployments relying on low-cost hardware.

Massive Coupang Data Breach Exposes 337 Million Individuals
E-commerce giant Coupang has confirmed a major data breach affecting approximately 337 million users. Exposed data includes personal identification details, contact information, and other sensitive records...

Welcome to your daily cybersecurity briefing.

Mattermost Patches Silent Security Flaw
CERT-FR reports an "unspecified security issue" in Mattermost Server (MMSA-2025-00545). While technical details remain undisclosed by the vendor, the vulnerability impacts multiple branches including 10.11, 10.12, 11.0, and 11.1. Given the platform's role in centralizing sensitive internal communications, administrators are urged to apply the November 27th updates immediately.

Security Policy Bypass in Stormshield VPN Client
A logic flaw identified as CVE-2025-11955 affects the Stormshield Network VPN Client (v7.5.109). This vulnerability allows local users or attackers to bypass security policies enforced by the administrator, effectively...

Welcome to your daily cybersecurity briefing.

Cato CTRL Discloses "HashJack" Prompt Injection Cato Networks has revealed a new indirect prompt injection technique called "HashJack" that hides malicious payloads within URL fragments. This method blindsides perimeter WAFs but is fully processed by client-side AI browsers like Copilot and Gemini, enabling zero-click data exfiltration and callback phishing.

Superbox Android Devices Linked to BadBox 2.0 Botnet
KrebsOnSecurity reports that "Superbox" streaming devices are shipping with pre-rooted firmware and backdoors connecting to Tencent infrastructure. These devices serve as residential exit nodes for the IPidea proxy network, facilitating ad fraud...

Welcome to your daily cybersecurity briefing.

CVSS v4.0 – Understanding the New Vulnerability Scoring Model
A new analysis from Malwarebytes provides a clear breakdown of CVSS v4.0, detailing how the updated framework shifts focus toward exploitability, environmental modifiers, and attacker utility. The article highlights changes in severity interpretation, granularity in attack requirements, and the impact of supplemental metrics—key for vulnerability prioritization across CERT, SOC, and risk teams.

Tomiris Deploys New Malware Tools
Kaspersky researchers have identified new components in the Tomiris malware ecosystem, including updated loaders and covert communications modules. These additions reinforce Tomi...

Welcome to your daily cybersecurity briefing.

CISA & Commercial Spyware Targeting Messaging Apps
Following a joint alert by CISA, a technical breakdown reveals how multiple threat actors use QR-based session hijacking, zero-click exploits, and fake apps to compromise end-to-end encrypted messaging platforms such as Signal and WhatsApp. Victims include senior officials and civil society actors across the U.S., Europe, and the Middle East.

ORCA Initiative from Linux Foundation
The Linux Foundation has announced the creation of ORCA, a new Open Robust Compartmentalization Alliance aiming to promote memory...

Welcome to your daily cybersecurity briefing.

CERT-FR: Advisory 2025-AVI-1042
CERT-FR has issued a new advisory describing several critical vulnerabilities impacting Gitlab.

RomCom via SocGholish
Arctic Wolf reports a campaign in which the RomCom threat group leveraged the SocGholish delivery infrastructure for the first time to deploy a targeted Mythic loader. The intrusion targeted a U.S. company indirectly connected to Ukraine, highlighting the evolving infection chains associated with GRU Unit 29155.

ShadowV2 IoT Botnet
Fortinet has analyzed ShadowV2, a Mirai-based IoT botnet observed exclusively during the major AWS outage in October...

Welcome to your daily cybersecurity briefing.

💻 JackFix: Fake Windows Update Malware – A new campaign is distributing the JackFix malware through fake Windows Update pop-ups, enabling payload execution and stealthy installation of persistent backdoors.

🇫🇷 CERT-FR: PrimX Targeted – CERT-FR has issued an advisory detailing a compromise affecting PrimX, involving a vulnerability that allows security bypass and unauthorized access to protected data.

🐦 X / Twitter: Massive Internal Exposure – A misconfiguration at X exposed a wide range of internal metadata, service identifiers, and backend endpoints, revealing the scale of the platform’s internal systems.

🇷🇺 Russia & North Korea: Coordinated Operati...

Welcome to your daily cybersecurity briefing.

💸 FBI: Bank Impersonation Alert – The FBI reports that cybercriminals have stolen $262 million since January by impersonating bank support teams through sophisticated vishing and smishing campaigns.

📉 Microsoft: Exchange Online Outage – A major service disruption in North America is blocking access to Outlook mailboxes, caused by a configuration change that Microsoft is currently rolling back.

🐛 Supply Chain: Shai-Hulud Worm – A self-replicating worm has infected over 800 npm packages, modifying package.json scripts to exfiltrate AWS and GitHub secrets to external servers.

🦊 Mozilla: Critical Patch Released – Mozilla addresses CVE-2025-13016 in Firefox an...

Welcome to your daily cybersecurity briefing.

🛡️ CERT-UA Alert: official update released – CERT-UA publishes an expanded update detailing malicious activity targeting educational and public-sector infrastructures, including new technical insights and reinforced hardening recommendations.

🧪 CERT-FR: new security advisory – CERT-FR issues a refreshed advisory regarding ongoing vulnerability analysis, highlighting potential operational risks affecting both Windows and Linux environments depending on configuration.

✈️ CERT-FR: additional security notice – A second CERT-FR advisory stresses the need for immediate mitigation actions due to the possibility of opportunistic exploitation associated with certain flaws with SYNOLOGY NAS.

🔐 NCSC: guidance for selecting an MSP – The NCSC rel...

Welcome to your daily cybersecurity podcast.

🛡️ Bulletproof hosting: new national guidance – The Australian Cyber Security Centre releases updated recommendations to mitigate risks posed by “bulletproof hosting” providers frequently used by cybercriminals to evade law-enforcement and defensive actions.

🧪 Wireshark vulnerabilities patched – CERT-FR publishes an advisory detailing several flaws in Wireshark, some of which may trigger denial-of-service conditions or application crashes when parsing specially crafted packets.

✈️ Iberia discloses customer data leak – The Spanish airline confirms a data breach originating from a compromised vendor, exposing personal information, identifiers, and travel-related details of customers.

🔐 Azure Bastion security flaw – A...

Episode Description:
In this episode of RadioCSIRT, we examine how rising digital taxes are reshaping the cyber threat landscape. While taxation and cybersecurity may seem unrelated, the financial pressure created by digital taxes can significantly weaken organizational defenses — expanding the attack surface and creating opportunities for cybercriminals.

This episode covers:
• Budget impacts and the reduction of security capabilities
• Growth of ransomware, phishing and legacy-system exploitation
• Supply-chain weak points amplified by economic pressure
• Case studies from the UK, Brazil and India
• Key lessons for CISOs, SOC teams and policymakers

A concise, fac...

Welcome to your daily cybersecurity podcast.

🚨 Active exploitation – Oracle Identity Manager: CISA warns that a remote code execution vulnerability in Oracle Identity Manager is being actively exploited, putting IAM infrastructures at immediate risk.

🛠️ SolarWinds Serv-U under fire: Two critical vulnerabilities impact Serv-U, potentially allowing attackers to fully compromise targeted servers.

📨 SonicWall issues emergency patches: The vendor releases fixes for two flaws in its Email Security appliances, including a code execution bug (CVE-2025-40604).

🚆 Massive data breach in Italy: The Italian railway operator Ferrovie dello Stato suffers a major data leak following an attack on con...

Welcome to your daily podcast dedicated to cybersecurity.

🚨 Critical SharePoint Alert: Microsoft issues CVE-2025-59245, a severe privilege escalation flaw that demands immediate attention from administrators.
🎧 Espionage & Malware: Google exposes "BadAudio," the new tool from the APT24 group, while the ShadowPad backdoor resurfaces in fresh targeted campaigns.
☁️ Salesforce Clamps Down: The CRM giant is cutting off access to third-party apps after detecting suspicious activity, moving fast to protect customer data.
💼 Dark Web Job Market: Crime starts young. A new study reveals that the median age of cybercrime job seekers is now just 24 years old.

⚡️ Don't...

Welcome to your daily podcast dedicated to cybersecurity.

✈️ Industrial espionage by UNC1549: Iranian hackers deploy DEEPROOT and TWOSTROKE backdoors against aerospace and defense sectors, exploiting VDI access and the supply chain.

🤖 Gmail trains its AI with your data: Google enables email and attachment analysis for its Gemini model by default, requiring a complex manual opt-out to preserve privacy.

🍎 New macOS "DigitStealer": A fileless malware specifically targeting Apple Silicon chips to exfiltrate credentials and crypto wallets while bypassing standard detections.

🛡️ Massive scan of GlobalProtect VPNs: A coordinated campaign of 2.3 million scan sessions targets Palo Al...

Welcome to your daily cybersecurity podcast.

🛰️ Europol dismantles multiple digital piracy services after investigators traced more than EUR 47 million in crypto assets linked to illegal IPTV, streaming, and content-distribution platforms;
🛡️ CISA adds a newly identified and actively exploited vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches under strict timelines;
⚠️ PlushDaemon supply-chain attacks: threat actors are hijacking legitimate software update mechanisms to deliver malicious payloads and compromise environments through trusted distribution channels;
📹 Large-scale CCTV compromise: thousands of connected surveillance cameras hijacked for coordinated cybercriminal operations, including unauthorized internal access, reconnaissance, a...

 Welcome to your daily cybersecurity podcast.

🛰️ Australia’s Cyber Arrow Exercise: a large-scale national drill uniting government, industry and critical-infrastructure operators in the energy, communications and finance sectors, focusing on detection capabilities, digital forensics and major incident response readiness.

🛡️ Multiple Vulnerabilities in NetApp Products: several flaws impacting Brocade SANnav and HCI Compute Node Bootstrap OS, enabling remote denial of service, data confidentiality breaches and integrity compromise.

⚠️ Critical Mozilla Thunderbird Vulnerabilities: issues affecting versions prior to 140.5 and 145, allowing remote arbitrary code execution, security-policy bypass and other unspecified behaviors.

🏢 Mattermost Server Vulnerabilities: several versions in the 10.1...

Welcome to your daily cybersecurity podcast.

🛰️ RoningLoader analysis: new research unveils the stealthy capabilities of RoningLoader, a modular malware loader designed for evasion, payload staging, and long-term persistence across compromised environments.

🛑 Gh0st RAT impersonation campaigns: recent investigations reveal large-scale social-engineering operations delivering Gh0st RAT through impersonated organizations, using spoofed identities and fraudulent communication channels to compromise victims.

🎭 Online radicalisation via gaming platforms: Europol and partner nations report coordinated action against extremist groups exploiting gaming ecosystems for recruitment, covert communication, and distribution of illicit content.

🏢 IBM AIX/VIOS – Critical vulnerability: a newly disclose...

Welcome to your daily cybersecurity podcast.

🛰️ DNS4EU: the European Union continues to advance its sovereign DNS resolver project, designed to reduce dependency on non-EU services. The initiative aims to deliver a secure, privacy-respecting, and resilient DNS infrastructure operated entirely within Europe, with integrated filtering and threat-detection capabilities.

🛑 Ransomware – Q3 2025 Overview: recent analysis reveals continued growth in ransomware activity, driven by the increasing professionalization of threat groups, industrialized phishing operations, and expanding affiliate networks targeting SMEs, critical infrastructure, and interconnected suppliers.

🎭 North Korean IT worker schemes: several U.S. nationals have pleaded guilty to acting as...

Bonjour and Welcome to your daily cybersecurity podcast.

🧩 AMD Zen 5: AMD confirms a critical flaw in the rdseed instruction causing severe entropy reduction, weakening cryptographic material generated on Zen 5 processors prior to microcode updates.

🛡️ Akira Ransomware: CISA, the FBI, and international partners release major updates on newly observed TTPs and IOCs, highlighting widespread targeting of SMBs and multiple critical infrastructure sectors.

🌐 FortiWeb: Active exploitation of CVE-2025-64446, a relative path traversal vulnerability enabling administrative command execution through crafted HTTP(S) requests.

🏨 Fake Travel Platforms: A Russian-speaking threat actor registered over 4,300 domains imitating Book...

Welcome to your daily cybersecurity podcast.

🤖 Anthropic faces controversy over claims that Claude enabled fully automated cyberattacks end-to-end. Several experts question the technical validity and highlight the lack of concrete evidence.

🛡️ Fortinet confirms it silently patched a critical FortiWeb zero-day already exploited in active attacks. The discreet fix was intended to avoid tipping off threat actors monitoring patch cycles.

📞 Cisco Unified CCX: multiple critical vulnerabilities expose call-center infrastructures to compromise, enabling remote code execution and unauthorized access to sensitive systems.

🐉 Google initiates legal action to disrupt a major Chinese SMS phishing triad operatin...

⚡️Welcome to your daily cybersecurity podcast.

🌐 Google TAG: Q3 2025 bulletin — over 18,000 YouTube channels, 120 domains, and multiple coordinated networks taken down. Massive activity originating from China, Russia, Azerbaijan, Iran, and Turkey, along with seven distinct operations targeting Moldova.

🛡️ CISA reports ongoing cyber threats against Cisco ASA and Firepower devices. Active exploitation, confirmed compromises, and immediate mitigation and patching strongly recommended.

📊 Nagios (CERT-FR): security advisory published on multiple vulnerabilities affecting Nagios XI and related components. Risks include compromise, remote code execution, and privilege escalation — urgent updates required across all monitoring environments.

⚡️ Don’t think — patch! 🚀

📚...

🧩 Welcome Everyone –Today  8 essential stories you can’t miss!

🐧 Curly COMrade: a Russian group abuses Hyper-V to hide Linux malware inside an Alpine VM, effectively bypassing EDR detection.

🇦🇺 ASIO Warning: Australia’s spy chief warns of high-impact cyber sabotage as authoritarian states prepare attacks on power, telecom, and water systems.

💻 OWASP Top 10 (2025): Broken Access Control remains the top web app risk, followed by security misconfiguration and software supply-chain failures.

☁️ Google Private AI Compute: secure AI processing in the cloud with hardware-level encryption, offering on-device privacy and Gemini-scale power.

🧰 Synology BeeStation (CVE-2025-12686...

Welcome to your special edition Patch Tuesday briefing 🕵️‍♂️🔥

📌 Microsoft – November 2025 Patch Tuesday: 63 flaws fixed including 1 zero-day
Microsoft has released patches for 63 vulnerabilities this month, including one zero-day actively exploited (CVE-2025-62215) affecting the Windows Kernel. Critical issues include RCE in GDI+ (CVE-2025-60724), Office (CVE-2025-62199), and Visual Studio (CVE-2025-62214), as well as an EoP in DirectX Graphics Kernel (CVE-2025-60716). Key “Exploitation More Likely” issues affect CEIP (CVE-2025-59512), CSC service (CVE-2025-60705) and multiple WinSock driver flaws (CVE-2025-60719, CVE-2025-62217, CVE-2025-62213).
Prioritise: patch the zero-day immediately, deploy the critical updates without delay, and addr...

🔐 KeePassXC: full transparency on AI use in development — no AI functions integrated, and every contribution is subject to full human review.

🏢 NCSC (UK): launch of the Cyber Action Toolkit, a free and interactive tool designed to help small businesses strengthen their cybersecurity with simple, practical steps.

💥 Triofox (CVE-2025-12480): active exploitation of a critical flaw (CVSS 9.1) allowing remote code execution through the built-in antivirus feature. Mandiant urges immediate patching.

📱 APT37: the North Korean threat group is abusing Google Find Hub to geolocate and remotely wipe Android smartphones belonging to South Korean victims.

💾 3CX: massi...

Welcome to your daily cybersecurity update 🕵️‍♂️🔥

📱 Samsung – New Critical Flaw Added to CISA’s KEV Catalog (CVE-2025-21042)
CISA has added an Out-of-Bounds Write vulnerability affecting certain Samsung mobile devices to its Known Exploited Vulnerabilities Catalog.
This flaw allows data to be written outside intended memory regions, posing risks to system confidentiality and integrity.
Under Binding Operational Directive 22-01, U.S. federal agencies must patch it immediately, and CISA strongly urges all organizations — public and private — to do the same.

💬 LinkedIn – Surge in Phishing Campaigns Targeting Executives
Thirty-four percent of phishing attacks now occur outside trad...

Welcome to your weekend cybersecurity briefing 🕵️‍♂️🔥

🐧 Samba — Remote Command Execution (CVE-2025-10230)
A critical vulnerability affects Samba in the WINS module. An unauthenticated attacker can inject commands through unfiltered NetBIOS names and execute arbitrary code on the server. CVSS score: 10.0 (Critical). This flaw allows full system compromise. Immediate patching is strongly recommended.

🧩 SuiteCRM — Session Persistence After Account Deactivation (CVE-2025-64489)
Versions up to 7.14.7 and 8.9.0 fail to revoke sessions when accounts are deactivated. Inactive users can retain access and even reactivate themselves. Severity: High (CVSS 8.3). The issue is fixed in versions 7.14.8 and 8.9.1.

🔐 SuiteCRM — RBAC Enforcement...

Welcome to your weekend cybersecurity bulletin 🕵️‍♂️🔥

💰 Microsoft warns of payroll phishing campaign
Microsoft is alerting organizations to a sophisticated phishing operation dubbed Payroll Pirates. Attackers impersonate HR departments to steal Microsoft 365 credentials and divert employee payroll deposits. The campaign uses spoofed domains and genuine Microsoft forms to bypass security filters.

🎓 Iranian APT targets academic researchers
An Iran-linked group known as APT42 is conducting espionage campaigns against academics and researchers in Europe and North America. Attackers use fake university contact emails and cloned institutional portals to harvest personal data and login credentials.

🎥 ClickFix — Fake CAPTCHA...

Welcome to your daily cybersecurity update 🕵️‍♂️🔥

🧩 Suricata — Multiple Vulnerabilities in the Open Source IDS/IPS Engine
Several flaws have been discovered in Suricata affecting versions 8.0.x before 8.0.2 and 7.0.x before 7.0.13. These issues could allow attackers to trigger undefined behaviors or memory corruption. Updated releases include enhanced flow management and decoding security.

💬 Mattermost — Security Flaws in the Collaboration Server
A vulnerability impacts multiple Mattermost Server branches, including versions 10.11.x before 10.11.5 and 11.0.x before 11.0.3. The issue can be exploited remotely, prompting administrators to update immediately and restart services to ensure patches take effect.

🌐 Cisco — Remote Code Executi...

Welcome to your daily cybersecurity briefing 🕵️‍♂️🔥

💬 Microsoft Teams — Impersonation and Spoofing Vulnerabilities
Check Point Research disclosed four critical flaws in Microsoft Teams allowing attackers to impersonate users, manipulate messages, and spoof notifications. The issues, now patched, could be exploited by both external guests and malicious insiders.

🌐 Google Chrome — Storing ID Data in Autofill
Chrome’s new Enhanced Autofill feature can now store driver’s license and passport details. Convenient, but risky — storing such highly sensitive information in the world’s most targeted browser significantly increases exposure if compromised.

⚖️ China — Death Sentences for Myanmar Scam Kingpins
A Chinese...

Welcome to your daily cybersecurity update 🕵️‍♂️🔥

🌐 ICC — openDesk replaces Microsoft Office
The International Criminal Court announces its migration to the open-source suite openDesk, developed under Germany’s ZenDiS initiative. The goal is to strengthen digital sovereignty and reduce dependence on Microsoft solutions.

🐧 Linux — The most critical kernel vulnerabilities of 2025
The Linux kernel faces several critical vulnerabilities this year, including flaws that allow privilege escalation at kernel level. Virtualized and sandboxed systems are particularly at risk, with an urgent recommendation to patch immediately.

🛡️ CISA — Two vulnerabilities added to the KEV catalog
The Cybersecurity and Infrastruct...

Welcome to your daily cybersecurity briefing 🕵️‍♂️🔥

🌐 Tor Browser 15.0 — New Release Based on Firefox ESR 140
The Tor Project has released version 15.0, integrating a full year of upstream security fixes and introducing vertical tab management.
WebAssembly is now handled by NoScript and remains disabled at the Safer and Safest security levels. This is the last version compatible with Android 5–7 and x86 architectures.

🧩 MariaDB — Multiple Vulnerabilities Patched
CERT-FR reports several vulnerabilities affecting all versions prior to 11.7.2. The flaws tracked as CVE-2024-21096, CVE-2025-21490, CVE-2025-30693, and CVE-2025-30722 were fixed in the security bulletin issued on May 7th, 2025.<...

Welcome to your daily cybersecurity briefing 🕵️‍♂️🔥

🐚 Rhysida — Malvertising Campaign and Code-Signing Abuse
The Rhysida ransomware gang continues its campaign using OysterLoader — also known as Broomstick or CleanUpLoader — as an initial access tool. Expel reports more than 40 abused code-signing certificates since June 2025, including several issued through Microsoft Trusted Signing. These certificates are used to disguise malicious binaries and achieve low antivirus detection rates.

🌐 BIND 9 — Thousands of Servers Still Unpatched
The Shadowserver Foundation warns that over 8,200 DNS servers remain vulnerable to CVE-2025-40778 and CVE-2025-40780, including about 100 in the Netherlands. These flaws enable cache poisoning attacks, redirecti...

🎧🛡️Welcome to your daily cybersecurity update 🕵️‍♂️🔥

🎓 University of Pennsylvania — Investigation into a massive fraudulent email
An offensive email threatening a data leak was sent to thousands of students and alumni using an address spoofed from the Graduate School of Education. The university confirmed it was a fake. The incident response team is actively handling the case.

🕸️ Vampire Wi-Fi — Trapped on public networks
Fraudulent hotspots are impersonating legitimate access points in airports, hotels, and cafés. These “Evil Twin Networks” intercept traffic using packet-sniffing tools. McAfee researchers warn that such attacks mainly target travelers and remote workers.

🐉 China — Glo...

Welcome to your daily cybersecurity Podcast 💀🎃

🐉 Lanscope — Zero-Day Exploited by Chinese Threat Actors
Hackers linked to China have exploited a zero-day vulnerability in Lanscope, a Japanese network management software.
The flaw allowed unauthorized access to internal systems.
According to research from BleepingComputer, the campaign primarily targeted governmental and industrial organizations in Asia.

🐧 Linux — New Critical Vulnerability
A newly discovered vulnerability in the Linux kernel allows local privilege escalation.
Attackers could exploit it to compromise server systems.
Maintainers recommend immediate updates across all affected environments.

💀 Akira Ransomware — Ongoing Expansion
The Akir...

🎧🎃 RadioCSIRT — Welcome to Your Daily Cybersecurity Briefing 💀⚡️

🧟 VMware Tools — Actively Exploited by a Chinese Group
CISA has ordered U.S. federal agencies to patch vulnerability CVE-2025-41244, which allows local privilege escalation on VMware Aria Operations and VMware Tools virtual machines. The flaw has been exploited since October 2024 by the UNC5174 threat group.

🕸️ XWiki Platform — Critical Injection (CVE-2025-24893)
A critical injection vulnerability in the SolrSearch function allows unauthenticated remote code execution. Rated CVSS 9.8, this flaw is under active exploitation. Fixes are available in versions 15.10.11, 16.4.1, and 16.5.0RC1.

🦇 UNC6384 — Diplomatic Espionage in Europe
Diplomatic entities in...

Welcome to your daily cybersecurity briefing ⚡️

🏦 Maverick Banker — Banking Trojan via WhatsApp
A large-scale campaign is distributing the Maverick Banker Trojan through WhatsApp. Victims receive fraudulent messages containing links to malicious apps designed to steal banking data. Raise awareness among your users.

🕵️ ForumTroll APT — Dante Spyware
The ForumTroll APT group is deploying the Dante spyware, derived from Hacking Team tools, to target sensitive organizations. It features advanced surveillance and data exfiltration capabilities. Strengthen your persistent threat detection controls.

🌐 Mozilla — Multiple Vulnerabilities
New security patches for Firefox address a vulnerability impacting browser stability and...

Welcome to your daily cybersecurity briefing ⚡️

🐱‍👤 Apache Tomcat — Multiple Vulnerabilities
Several flaws affect Tomcat (10.1.x < >

🐧 Kali Linux — 2025.3
New snapshot featuring 10 new tools, major wireless improvements (including Nexmon on Raspberry Pi), and refreshed images/VMs.

🧩 WordPress — CVE-2025-4665 (CFDB7)
A vulnerability in the Contact Form CFDB7 plugin allows SQL Injection and PHP Object Injection. Update or disable the plugin if it’s no longer maintained.

🌊 AISURU — Record-Breaking DDoS Attacks
The AISURU botnet has been linked to DDoS attacks peaking at 20 Tbps against consumer targets, operating under a “DDoS-for-hire” model. Strengthen your scrubbing/anycast c...

After more than 460 episodes in French, RadioCSIRT expands to a global audience with the launch of RadioCSIRT [EN].

Hosted by Marc Frédéric Gomez, this daily program delivers concise, fact-based cybersecurity intelligence for professionals across CERTs, CSIRTs, SOCs, and CISOs.
Each episode summarizes verified reports from trusted sources — including technical analyses, advisories, and threat intelligence — presented in a neutral and accessible format.

The goal remains unchanged: to provide clear, reliable, and actionable cybersecurity updates every day, without speculation or bias.

Episode 0 introduces the mission, editorial principles, and international vision of RadioCSIRT Intern...