Security Check-in Quick Hits: Oracle Zero-Days, Palo Alto Probes, AI Abuse, APT35 Leaks, and Telecom DDoS Surge

For October 8, 2025

Oct 08, 2025

Oracle E-Business Suite Faces Critical Zero-Day Exploitation

In a concerning development for enterprise software users, Oracle has rushed out an emergency patch for CVE-2025-61882, a severe remote code execution vulnerability in its E-Business Suite (EBS) product. This flaw, rated with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code over the network, making it a prime target for ransomware groups like Cl0p, who have already been spotted exploiting it in data theft operations. The vulnerability affects the Concurrent Processing component, specifically BI Publisher, and requires the October 2023 patch to be installed before applying the fix. Exploits have been leaked publicly, accelerating the risk of widespread attacks, with actors using XSLT injection payloads to read files from compromised servers.

Organizations running Oracle EBS should prioritize patching immediately, as scans and exploits are already underway from IPs like 103.108.229.71. This incident underscores the ongoing arms race between software vendors and threat actors, where zero-days can lead to rapid data breaches if not addressed swiftly. For admins, enabling multi-factor authentication and monitoring for unusual network activity could provide additional layers of defense while patches roll out.

Surge in Reconnaissance Against Palo Alto PAN-OS GlobalProtect Portals

Security teams are on high alert as reconnaissance activity targeting Palo Alto Networks’ PAN-OS GlobalProtect login portals has spiked dramatically. Over 2,200 unique IP addresses have been observed scanning these portals as of October 7, 2025—a 500% increase from earlier in the month, marking the highest activity in the last 90 days according to GreyNoise Intelligence. This surge suggests potential preparation for exploitation of known or emerging vulnerabilities in the VPN gateway software, which is widely used for remote access.

While no specific CVE has been tied to this wave yet, the pattern mirrors pre-attack probing seen in past campaigns against network appliances. Admins should review firewall rules, ensure the latest PAN-OS updates are applied, and consider implementing geo-blocking or rate-limiting on login endpoints to mitigate risks. This event highlights the persistent threat to perimeter defenses, where even unpatched minor flaws can lead to full network compromise if attackers gain a foothold.

OpenAI Thwarts State-Linked Hackers Abusing AI for Cyber Operations

OpenAI has released a detailed report on disrupting malicious actors from Russia, North Korea, China, and other nations who attempted to leverage its AI models for cyberattacks and influence operations. The company’s October 2025 findings reveal how groups like DPRK-linked clusters used LLMs to develop command-and-control tools and phishing content targeting diplomats and crypto users. Chinese actors (e.g., UTA0388) employed AI for multilingual phishing and malware debugging in espionage efforts, while Russian operators prototyped stealers and trojans.

Additionally, scam networks from Cambodia, Myanmar, and Nigeria scaled fraud using AI-generated content, and PRC-linked entities explored surveillance tools for social media monitoring. OpenAI’s actions emphasize that adversaries are integrating AI into existing tactics rather than creating novel ones, boosting speed and adaptability. To counter this, platforms must enhance detection, collaborate with researchers, and enforce stricter usage policies. This report serves as a wake-up call for the tech industry on the dual-use risks of generative AI.

IRGC-Linked APT35 Operations Exposed in Major Leak

A significant leak has unveiled internal operations of the Iranian cyber-espionage group APT35 (Charming Kitten), linked to the Islamic Revolutionary Guard Corps (IRGC). The dataset includes Persian-language documents detailing personnel, tools like custom RATs, and campaigns targeting government, legal, academic, aviation, energy, and financial sectors across the Middle East, US, and Asia. The group exploited vulnerabilities such as CVE-2024-1709 for rapid router DNS manipulation and focused on long-term persistence, credential dumping, and data exfiltration.

Tactics involved supply chain attacks, smishing, and EDR evasion, with operators logging extensive hours on phishing infrastructure and malware development. This exposure poses risks to national security and supply chains, urging affected industries to bolster defenses against state-sponsored threats through zero-trust models and threat intelligence sharing.

Nokia Highlights Rise in Stealthy Attacks and Massive DDoS in Telecoms

Nokia’s 2025 Threat Intelligence Report reveals alarming trends in critical network security, with 63% of telecom operators experiencing silent intrusions and DDoS attacks peaking over 10 Tbps. The report notes that 70% of operators now use AI-driven detection to combat these evolving threats, which often go unnoticed until significant damage occurs.

Key insights include the shift toward stealthy, persistent attacks that evade traditional defenses, emphasizing the need for proactive monitoring and AI integration. Telecom providers should invest in advanced analytics and zero-trust architectures to stay ahead, as these intrusions could disrupt services and lead to data loss on a massive scale.