Fortinet disclosed another zero-day vulnerability in its FortiWeb firewall just days after revealing a separate exploited flaw. CVE-2025-58034 allows authenticated attackers to run code through crafted HTTP requests, earning a 6.7 CVSS score.

Orange Cyberdefense reports "several exploitation campaigns" are chaining this new flaw with last week's vulnerability for more powerful attacks. Trend Micro detected around 2,000 exploitation attempts.

The timing raises questions about Fortinet's disclosure practices - both vulnerabilities were quietly patched before public disclosure. CISA added the flaw to its Known Exploited Vulnerabilities catalog with an accelerated one-week patching deadline for federal agencies.

Source: Dark Reading

Nearly every organization worldwide (97%) has been hit by supply chain breaches, up dramatically from 81% in 2024, according to BlueVoyant's latest survey of 1,800 IT leaders.

Despite the alarming jump, companies are fighting back. Almost half are now collaborating directly with third parties to fix security issues, and 46% claim to have mature risk management programs in place.

But there's a catch: many programs focus on compliance checkboxes rather than actually reducing risk. Only 16% of companies list risk reduction as their primary goal, while cyber insurance requirements and board mandates drive most efforts. The biggest challenge? Lack of internal support, cited by 60% of program managers.

Source: Infosecurity Magazine

CISA has issued an urgent warning about a zero-day vulnerability in Google Chrome that's already being exploited by attackers. The flaw, CVE-2025-13223, affects Chrome's V8 JavaScript engine and allows hackers to execute malicious code remotely just by tricking users into visiting compromised websites.

The vulnerability impacts Chrome versions before 131.0.6778.72 and extends to other Chromium-based browsers like Microsoft Edge and Brave. Google patched the issue on November 19, 2025, but CISA has given federal agencies until December 10 to update their systems.

With over 3 billion Chrome users worldwide, this high-severity bug poses massive risks for data breaches and malware infections. Users should immediately update to the latest Chrome version to protect themselves.

Source: Cybersecurity News

DoorDash confirmed a recent data breach on November 13 after an employee fell victim to a social engineering scam. Criminals accessed customer names, phone numbers, email addresses, and physical addresses for both delivery drivers and customers.

The good news? No bank account or payment card information was compromised. DoorDash's response team quickly cut off unauthorized access and reported the incident to law enforcement.

The company has implemented additional employee training on social engineering scams and upgraded security systems. Customers should watch for suspicious messages attempting to use their exposed personal information for fraud. This breach adds to 2024's staggering total of 3,158 corporate data compromises.

Source: CNET

Amazon is sounding the alarm about a dangerous new form of warfare where cyberattacks directly enable physical military strikes. The tech giant calls it "cyber-enabled kinetic targeting" - hackers compromise security cameras and surveillance systems to provide real-time intelligence for missile attacks.

The most striking example: Iran's MuddyWater group hacked Jerusalem CCTV cameras in May, then used live feeds to adjust missile targeting during attacks on June 23. This allowed Iranian forces to make real-time adjustments while weapons were in flight.

Amazon's security chief Steve Schmidt warns that traditional cybersecurity approaches treating digital and physical threats separately are now "detrimental." Nation-states are pioneering this hybrid model, and more countries will follow suit, fundamentally changing how warfare operates.

Source: CyberScoop

A threat actor called dino_reborn has deployed seven malicious npm packages that cleverly distinguish between regular users and security researchers before delivering malware. The packages use Adspect cloaking technology to fingerprint visitors through 13 data points including browser details and language preferences.

When researchers visit infected sites, they see only blank pages. But victims encounter fake CAPTCHAs mimicking legitimate crypto exchanges like Uniswap, which redirect them to scam sites after a convincing three-second verification process.

Socket.dev analysts discovered the campaign, tracing it to geneboo@proton.me. The malware blocks developer tools and disables right-click menus to prevent analysis, representing a new evolution in supply chain attacks targeting the npm ecosystem.

Source: Cyber Security News

AT&T customers have until December 18, 2025, to claim their share of a $177 million settlement from two major data breaches. The 2019 breach exposed personal data including Social Security numbers for 73 million customers, while the 2024 Snowflake hack affected phone records of 109 million users.

Customers with documented losses can receive up to $5,000 for the 2019 breach and $2,500 for the 2024 incident. Those without proof of losses still qualify for smaller payments. People affected by both breaches could potentially claim up to $7,500 total.

To file a claim, visit telecomdatasettlement.com with your Class Member ID from Kroll's notification email, or call 833-890-4930 for help.

Source: CNET

Pennsylvania's Attorney General office confirmed a major data breach following a ransomware attack that disrupted services for three weeks in August. The Inc Ransom group claimed responsibility in September, allegedly stealing 5.7 TB of data including personal information like Social Security numbers and medical records from investigative units.

The hackers also accessed details about the office's use of Cellebrite software, which extracts data from mobile devices. While officials say there's no evidence of data misuse, cybersecurity experts remain skeptical since ransomware groups typically publish or sell stolen information. The attack likely exploited a Citrix Netscaler vulnerability called CitrixBleed2.

Source: Security Week

Google released an emergency Chrome update to patch a critical zero-day vulnerability that hackers are already exploiting in the wild. The fix addresses CVE-2025-13223, a type confusion bug in Chrome's V8 JavaScript engine that lets attackers execute malicious code remotely without user interaction.

Google's Threat Analysis Group discovered the flaw on November 12, 2025, and confirmed exploits are circulating. The vulnerability affects Chrome's sandbox protections, potentially allowing hackers to steal data or install malware. A second related bug was also patched.

The update is available in Chrome version 142.0.7444.175 for Windows/Linux and 142.0.7444.176 for Mac. Users should update immediately and enable automatic updates to stay protected.

Source: Cybersecurity News

Iranian state-sponsored hacking group APT42, linked to the Islamic Revolutionary Guard Corps, is conducting an elaborate espionage campaign targeting senior defense and government officials. The hackers spend weeks building relationships with victims through social media before sending fake conference invitations that either steal credentials or install TameCat malware.

The sophisticated PowerShell backdoor communicates through Telegram and Discord, allowing hackers to remotely execute commands and steal sensitive data. APT42 even targets victims' family members to increase pressure and expand their attack surface. Israel's National Digital Agency warns the campaign uses legitimate cloud services mixed with attacker infrastructure to maintain long-term access to high-value targets.

Source: Security Week